8fbfd0d9515b5d6a079566eab341f41b51c837d63d8726b24986c5edc83a5228

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 18:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a178de0a11e17a05819c22fa335a28e9_JC.exe
Size

64KB
MD5

a178de0a11e17a05819c22fa335a28e9
SHA1

6c08be030226ffed3f7b8847fe923e886c0ebbf3
SHA256

8fbfd0d9515b5d6a079566eab341f41b51c837d63d8726b24986c5edc83a5228
SHA512

4629d39a2ff01937eb48d8ec982c78f4de24203cc67d4a05e1430f4e1967b103ef749c30af5d531a5fbcfbd380b7060be275027d07eaf88f2754c585b70797fc
SSDEEP

1536:joU/+nZxeZxHlFefXVhTHnQKxtf2L2AMCeW:1eZxe7ALPx22pW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfjcnold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qoifflkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biadeoce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhkfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcjmmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ploknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noeahkfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kggcnoic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keimof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlihle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acilajpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojlaeei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmobchj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmalne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggfnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebommi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpmjejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcddcbab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkcfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmhand32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmiclo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hammhcij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdncmghi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqbbpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eglgbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdedak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbelcblk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbaojpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nknobkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhpmgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knqepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbdlop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeoblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhokljge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gochjpho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgipcogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjahlgpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlggjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poajkgnc.exe

Executes dropped EXE 64 IoCs

pid	Process
3920	Dhfajjoj.exe
1248	Danecp32.exe
452	Ddmaok32.exe
996	Dmefhako.exe
3404	Dhkjej32.exe
1852	Deokon32.exe
4116	Dkkcge32.exe
4064	Dhocqigp.exe
116	Doilmc32.exe
3932	Ehapfiem.exe
4820	Emoinpcd.exe
3856	Eglgbdep.exe
3944	Eaakpm32.exe
4708	Ekiohclf.exe
4948	Eachem32.exe
3304	Fgppmd32.exe
4132	Fafdkmap.exe
2944	Fhpmgg32.exe
3360	Fahaplon.exe
4312	Fdfmlhna.exe
1564	Folaiqng.exe
3492	Fefjfked.exe
1260	Fggfnc32.exe
832	Fnaokmco.exe
372	Fkeodaai.exe
4392	Gdncmghi.exe
4712	Gochjpho.exe
3368	Gdppbfff.exe
2992	Gkjhoq32.exe
4488	Gadqlkep.exe
4332	Gohaeo32.exe
1960	Ggcfja32.exe
4872	Gnmnfkia.exe
412	Ghbbcd32.exe
2296	Goljqnpd.exe
5052	Lpneegel.exe
4536	Lejnmncd.exe
4796	Locbfd32.exe
4980	Lihfcm32.exe
1732	Lpbopfag.exe
4280	Lpekef32.exe
4256	Lfodbqfa.exe
3460	Mhppji32.exe
4940	Mojhgbdl.exe
2276	Medqcmki.exe
2468	Mbhamajc.exe
4756	Mefmimif.exe
3880	Mplafeil.exe
4004	Mbjnbqhp.exe
1512	Mekgdl32.exe
1984	Mhicpg32.exe
4456	Mpqkad32.exe
2988	Mfjcnold.exe
756	Nlglfe32.exe
1684	Neppokal.exe
1700	Nlihle32.exe
1908	Nebmekoi.exe
4812	Nhpiafnm.exe
2712	Ncfmno32.exe
4452	Ngaionfl.exe
1824	Nomncpcg.exe
1788	Nheble32.exe
4408	Nplkmckj.exe
3352	Ncjginjn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qofmkc32.dll	Nnkpnclp.exe
File opened for modification	C:\Windows\SysWOW64\Gbalopbn.exe	Gpbpbecj.exe
File created	C:\Windows\SysWOW64\Pemomqcn.exe	Pcobaedj.exe
File created	C:\Windows\SysWOW64\Fbfcmhpg.exe	Fpggamqc.exe
File created	C:\Windows\SysWOW64\Nlfcoqpl.dll	Megljppl.exe
File created	C:\Windows\SysWOW64\Mbnnhndk.dll	Pdhbmh32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Oeicejia.exe	Ncjginjn.exe
File opened for modification	C:\Windows\SysWOW64\Ooejohhq.exe	Oihagaji.exe
File created	C:\Windows\SysWOW64\Jkakadbk.dll	Ccgjopal.exe
File created	C:\Windows\SysWOW64\Mlkpophj.dll	Hmdlmg32.exe
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Dgeenfog.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Fgppmd32.exe	Eachem32.exe
File opened for modification	C:\Windows\SysWOW64\Oofaiokl.exe	Oiihahme.exe
File opened for modification	C:\Windows\SysWOW64\Jkhgmf32.exe	Jhijqj32.exe
File created	C:\Windows\SysWOW64\Fealin32.exe	Fbbpmb32.exe
File opened for modification	C:\Windows\SysWOW64\Bggnof32.exe	Bqmeal32.exe
File created	C:\Windows\SysWOW64\Injmlc32.dll	Dmdhcddh.exe
File created	C:\Windows\SysWOW64\Hbohpn32.exe	Hoclopne.exe
File opened for modification	C:\Windows\SysWOW64\Iojbpo32.exe	Illfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Mekgdl32.exe	Mbjnbqhp.exe
File created	C:\Windows\SysWOW64\Aqkpeopg.exe	Ajqgidij.exe
File created	C:\Windows\SysWOW64\Ploija32.dll	Aobilkcl.exe
File created	C:\Windows\SysWOW64\Ikndgg32.exe	Ihphkl32.exe
File created	C:\Windows\SysWOW64\Cpdfhgmd.dll	Mgehfkop.exe
File created	C:\Windows\SysWOW64\Pejkmk32.exe	Pkegpb32.exe
File created	C:\Windows\SysWOW64\Mdafpj32.dll	Kcbnnpka.exe
File created	C:\Windows\SysWOW64\Kjlopc32.exe	Kofkbk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkbpoog.exe	Jkaicd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekdnei32.exe	Eejeiocj.exe
File created	C:\Windows\SysWOW64\Hmdlmg32.exe	Hiipmhmk.exe
File opened for modification	C:\Windows\SysWOW64\Hmdlmg32.exe	Hiipmhmk.exe
File created	C:\Windows\SysWOW64\Gflhoo32.exe	Gbalopbn.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Ahbjoe32.exe	Aednci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajqgidij.exe	Acgolj32.exe
File opened for modification	C:\Windows\SysWOW64\Aobilkcl.exe	Ajeadd32.exe
File created	C:\Windows\SysWOW64\Ghmpmgdc.dll	Jjopcb32.exe
File created	C:\Windows\SysWOW64\Dmlijb32.dll	Piijno32.exe
File created	C:\Windows\SysWOW64\Eiieicml.exe	Ebommi32.exe
File created	C:\Windows\SysWOW64\Leabba32.dll	Iinqbn32.exe
File created	C:\Windows\SysWOW64\Eghghj32.dll	Lgqfdnah.exe
File created	C:\Windows\SysWOW64\Ejhdfi32.dll	Illfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nfcabp32.exe
File opened for modification	C:\Windows\SysWOW64\Fafdkmap.exe	Fgppmd32.exe
File opened for modification	C:\Windows\SysWOW64\Fnaokmco.exe	Fggfnc32.exe
File created	C:\Windows\SysWOW64\Ialqkblh.dll	Gohaeo32.exe
File created	C:\Windows\SysWOW64\Jdmmkl32.dll	Medqcmki.exe
File created	C:\Windows\SysWOW64\Nlfnaicd.exe	Nelfeo32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Dfggbllc.dll	Ploknb32.exe
File created	C:\Windows\SysWOW64\Nefped32.exe	Nbgcih32.exe
File created	C:\Windows\SysWOW64\Fkpiopih.dll	Qoelkp32.exe
File opened for modification	C:\Windows\SysWOW64\Igfclkdj.exe	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Ciafbg32.exe	Ckmehb32.exe
File created	C:\Windows\SysWOW64\Lgqfdnah.exe	Kdbjhbbd.exe
File created	C:\Windows\SysWOW64\Aknhkd32.dll	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12732	5928	WerFault.exe	755

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdehni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fligqhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gochjpho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphphj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emoinpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialqkblh.dll"	Gohaeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idfaefkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajeadd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqmidndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megljppl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ploknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmfclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkknogn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll"	Ohkkhhmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbekjjm.dll"	Gkjhoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfigpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nabfjpak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqjei32.dll"	Fimodc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbofcghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oejbfmpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oogpjbbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cadlbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgppmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knienl32.dll"	Ebommi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbdoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngaionfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmijq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlggjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmiclo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Nlcalieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll"	Pdmkhgho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipebnafj.dll"	Mekgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll"	Ohnohn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhamkipi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlfnaicd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmfbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbelcblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffceip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhgbbj.dll"	Olehhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biadeoce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqomopfd.dll"	Nknobkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Najmjokc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbpchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaohcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll"	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibmgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bckkca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll"	Jklinohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Ahmjjoig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4612	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3920	964	a178de0a11e17a05819c22fa335a28e9_JC.exe	83
PID 964 wrote to memory of 3920	964	a178de0a11e17a05819c22fa335a28e9_JC.exe	83
PID 964 wrote to memory of 3920	964	a178de0a11e17a05819c22fa335a28e9_JC.exe	83
PID 3920 wrote to memory of 1248	3920	Dhfajjoj.exe	84
PID 3920 wrote to memory of 1248	3920	Dhfajjoj.exe	84
PID 3920 wrote to memory of 1248	3920	Dhfajjoj.exe	84
PID 1248 wrote to memory of 452	1248	Danecp32.exe	85
PID 1248 wrote to memory of 452	1248	Danecp32.exe	85
PID 1248 wrote to memory of 452	1248	Danecp32.exe	85
PID 452 wrote to memory of 996	452	Ddmaok32.exe	86
PID 452 wrote to memory of 996	452	Ddmaok32.exe	86
PID 452 wrote to memory of 996	452	Ddmaok32.exe	86
PID 996 wrote to memory of 3404	996	Dmefhako.exe	87
PID 996 wrote to memory of 3404	996	Dmefhako.exe	87
PID 996 wrote to memory of 3404	996	Dmefhako.exe	87
PID 3404 wrote to memory of 1852	3404	Dhkjej32.exe	88
PID 3404 wrote to memory of 1852	3404	Dhkjej32.exe	88
PID 3404 wrote to memory of 1852	3404	Dhkjej32.exe	88
PID 1852 wrote to memory of 4116	1852	Deokon32.exe	89
PID 1852 wrote to memory of 4116	1852	Deokon32.exe	89
PID 1852 wrote to memory of 4116	1852	Deokon32.exe	89
PID 4116 wrote to memory of 4064	4116	Dkkcge32.exe	90
PID 4116 wrote to memory of 4064	4116	Dkkcge32.exe	90
PID 4116 wrote to memory of 4064	4116	Dkkcge32.exe	90
PID 4064 wrote to memory of 116	4064	Dhocqigp.exe	91
PID 4064 wrote to memory of 116	4064	Dhocqigp.exe	91
PID 4064 wrote to memory of 116	4064	Dhocqigp.exe	91
PID 116 wrote to memory of 3932	116	Doilmc32.exe	92
PID 116 wrote to memory of 3932	116	Doilmc32.exe	92
PID 116 wrote to memory of 3932	116	Doilmc32.exe	92
PID 3932 wrote to memory of 4820	3932	Ehapfiem.exe	95
PID 3932 wrote to memory of 4820	3932	Ehapfiem.exe	95
PID 3932 wrote to memory of 4820	3932	Ehapfiem.exe	95
PID 4820 wrote to memory of 3856	4820	Emoinpcd.exe	96
PID 4820 wrote to memory of 3856	4820	Emoinpcd.exe	96
PID 4820 wrote to memory of 3856	4820	Emoinpcd.exe	96
PID 3856 wrote to memory of 3944	3856	Eglgbdep.exe	97
PID 3856 wrote to memory of 3944	3856	Eglgbdep.exe	97
PID 3856 wrote to memory of 3944	3856	Eglgbdep.exe	97
PID 3944 wrote to memory of 4708	3944	Eaakpm32.exe	98
PID 3944 wrote to memory of 4708	3944	Eaakpm32.exe	98
PID 3944 wrote to memory of 4708	3944	Eaakpm32.exe	98
PID 4708 wrote to memory of 4948	4708	Ekiohclf.exe	99
PID 4708 wrote to memory of 4948	4708	Ekiohclf.exe	99
PID 4708 wrote to memory of 4948	4708	Ekiohclf.exe	99
PID 4948 wrote to memory of 3304	4948	Eachem32.exe	100
PID 4948 wrote to memory of 3304	4948	Eachem32.exe	100
PID 4948 wrote to memory of 3304	4948	Eachem32.exe	100
PID 3304 wrote to memory of 4132	3304	Fgppmd32.exe	101
PID 3304 wrote to memory of 4132	3304	Fgppmd32.exe	101
PID 3304 wrote to memory of 4132	3304	Fgppmd32.exe	101
PID 4132 wrote to memory of 2944	4132	Fafdkmap.exe	102
PID 4132 wrote to memory of 2944	4132	Fafdkmap.exe	102
PID 4132 wrote to memory of 2944	4132	Fafdkmap.exe	102
PID 2944 wrote to memory of 3360	2944	Fhpmgg32.exe	104
PID 2944 wrote to memory of 3360	2944	Fhpmgg32.exe	104
PID 2944 wrote to memory of 3360	2944	Fhpmgg32.exe	104
PID 3360 wrote to memory of 4312	3360	Fahaplon.exe	105
PID 3360 wrote to memory of 4312	3360	Fahaplon.exe	105
PID 3360 wrote to memory of 4312	3360	Fahaplon.exe	105
PID 4312 wrote to memory of 1564	4312	Fdfmlhna.exe	106
PID 4312 wrote to memory of 1564	4312	Fdfmlhna.exe	106
PID 4312 wrote to memory of 1564	4312	Fdfmlhna.exe	106
PID 1564 wrote to memory of 3492	1564	Folaiqng.exe	107

C:\Users\Admin\AppData\Local\Temp\a178de0a11e17a05819c22fa335a28e9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a178de0a11e17a05819c22fa335a28e9_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\Dhfajjoj.exe
  C:\Windows\system32\Dhfajjoj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\Danecp32.exe
    C:\Windows\system32\Danecp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\Ddmaok32.exe
      C:\Windows\system32\Ddmaok32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Ehapfiem.exe
        
        C:\Windows\system32\Ehapfiem.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Emoinpcd.exe
        
        C:\Windows\system32\Emoinpcd.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Eglgbdep.exe
        
        C:\Windows\system32\Eglgbdep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Eaakpm32.exe
        
        C:\Windows\system32\Eaakpm32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Ekiohclf.exe
        
        C:\Windows\system32\Ekiohclf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Eachem32.exe
        
        C:\Windows\system32\Eachem32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Fgppmd32.exe
        
        C:\Windows\system32\Fgppmd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Fafdkmap.exe
        
        C:\Windows\system32\Fafdkmap.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Fhpmgg32.exe
        
        C:\Windows\system32\Fhpmgg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Fahaplon.exe
        
        C:\Windows\system32\Fahaplon.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Folaiqng.exe
        
        C:\Windows\system32\Folaiqng.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Fefjfked.exe
        
        C:\Windows\system32\Fefjfked.exe
        23⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Fggfnc32.exe
        
        C:\Windows\system32\Fggfnc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260

C:\Windows\SysWOW64\Fnaokmco.exe
C:\Windows\system32\Fnaokmco.exe
1⤵
- Executes dropped EXE
PID:832
- C:\Windows\SysWOW64\Fkeodaai.exe
  C:\Windows\system32\Fkeodaai.exe
  2⤵
  - Executes dropped EXE
  PID:372
- - C:\Windows\SysWOW64\Gdncmghi.exe
    C:\Windows\system32\Gdncmghi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:4392
  - - C:\Windows\SysWOW64\Gochjpho.exe
      C:\Windows\system32\Gochjpho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:4712
    - - C:\Windows\SysWOW64\Gdppbfff.exe
        
        C:\Windows\system32\Gdppbfff.exe
        5⤵
        Executes dropped EXE
        
        PID:3368
      - C:\Windows\SysWOW64\Gkjhoq32.exe
        
        C:\Windows\system32\Gkjhoq32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Gadqlkep.exe
        
        C:\Windows\system32\Gadqlkep.exe
        7⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Gohaeo32.exe
        
        C:\Windows\system32\Gohaeo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ggcfja32.exe
        
        C:\Windows\system32\Ggcfja32.exe
        9⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Gnmnfkia.exe
        
        C:\Windows\system32\Gnmnfkia.exe
        10⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Ghbbcd32.exe
        
        C:\Windows\system32\Ghbbcd32.exe
        11⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Goljqnpd.exe
        
        C:\Windows\system32\Goljqnpd.exe
        12⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Lpneegel.exe
        
        C:\Windows\system32\Lpneegel.exe
        13⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Lejnmncd.exe
        
        C:\Windows\system32\Lejnmncd.exe
        14⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Locbfd32.exe
        
        C:\Windows\system32\Locbfd32.exe
        15⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Lihfcm32.exe
        
        C:\Windows\system32\Lihfcm32.exe
        16⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Lpbopfag.exe
        
        C:\Windows\system32\Lpbopfag.exe
        17⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Lpekef32.exe
        
        C:\Windows\system32\Lpekef32.exe
        18⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Lfodbqfa.exe
        
        C:\Windows\system32\Lfodbqfa.exe
        19⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Mhppji32.exe
        
        C:\Windows\system32\Mhppji32.exe
        20⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Mojhgbdl.exe
        
        C:\Windows\system32\Mojhgbdl.exe
        21⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Medqcmki.exe
        
        C:\Windows\system32\Medqcmki.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Mbhamajc.exe
        
        C:\Windows\system32\Mbhamajc.exe
        23⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Mefmimif.exe
        
        C:\Windows\system32\Mefmimif.exe
        24⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Mplafeil.exe
        
        C:\Windows\system32\Mplafeil.exe
        25⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Mbjnbqhp.exe
        
        C:\Windows\system32\Mbjnbqhp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Mekgdl32.exe
        
        C:\Windows\system32\Mekgdl32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mhicpg32.exe
        
        C:\Windows\system32\Mhicpg32.exe
        28⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Mpqkad32.exe
        
        C:\Windows\system32\Mpqkad32.exe
        29⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Mfjcnold.exe
        
        C:\Windows\system32\Mfjcnold.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Nlglfe32.exe
        
        C:\Windows\system32\Nlglfe32.exe
        31⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        32⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Nlihle32.exe
        
        C:\Windows\system32\Nlihle32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        34⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Nhpiafnm.exe
        
        C:\Windows\system32\Nhpiafnm.exe
        35⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Ncfmno32.exe
        
        C:\Windows\system32\Ncfmno32.exe
        36⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Ngaionfl.exe
        
        C:\Windows\system32\Ngaionfl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Nomncpcg.exe
        
        C:\Windows\system32\Nomncpcg.exe
        38⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Nheble32.exe
        
        C:\Windows\system32\Nheble32.exe
        39⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Nplkmckj.exe
        
        C:\Windows\system32\Nplkmckj.exe
        40⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Ncjginjn.exe
        
        C:\Windows\system32\Ncjginjn.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Oeicejia.exe
        
        C:\Windows\system32\Oeicejia.exe
        42⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Oidofh32.exe
        
        C:\Windows\system32\Oidofh32.exe
        43⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Olckbd32.exe
        
        C:\Windows\system32\Olckbd32.exe
        44⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Olehhc32.exe
        
        C:\Windows\system32\Olehhc32.exe
        45⤵
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ocopdn32.exe
        
        C:\Windows\system32\Ocopdn32.exe
        46⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Oiihahme.exe
        
        C:\Windows\system32\Oiihahme.exe
        47⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Oofaiokl.exe
        
        C:\Windows\system32\Oofaiokl.exe
        48⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Ogmijllo.exe
        
        C:\Windows\system32\Ogmijllo.exe
        49⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Oljaccjf.exe
        
        C:\Windows\system32\Oljaccjf.exe
        50⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Oohnonij.exe
        
        C:\Windows\system32\Oohnonij.exe
        51⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Ojnblg32.exe
        
        C:\Windows\system32\Ojnblg32.exe
        52⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Ophjiaql.exe
        
        C:\Windows\system32\Ophjiaql.exe
        53⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Pgbbek32.exe
        
        C:\Windows\system32\Pgbbek32.exe
        54⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Pjpobg32.exe
        
        C:\Windows\system32\Pjpobg32.exe
        55⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        57⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Pfgogh32.exe
        
        C:\Windows\system32\Pfgogh32.exe
        58⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Phelcc32.exe
        
        C:\Windows\system32\Phelcc32.exe
        59⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Ppmcdq32.exe
        
        C:\Windows\system32\Ppmcdq32.exe
        60⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Pckppl32.exe
        
        C:\Windows\system32\Pckppl32.exe
        61⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Pjehmfch.exe
        
        C:\Windows\system32\Pjehmfch.exe
        62⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Plcdiabk.exe
        
        C:\Windows\system32\Plcdiabk.exe
        63⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        64⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pgihfj32.exe
        
        C:\Windows\system32\Pgihfj32.exe
        65⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Pjgebf32.exe
        
        C:\Windows\system32\Pjgebf32.exe
        66⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        67⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Pcpikkge.exe
        
        C:\Windows\system32\Pcpikkge.exe
        68⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Pjjahe32.exe
        
        C:\Windows\system32\Pjjahe32.exe
        69⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Pqcjepfo.exe
        
        C:\Windows\system32\Pqcjepfo.exe
        70⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        71⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Qjlnnemp.exe
        
        C:\Windows\system32\Qjlnnemp.exe
        72⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        73⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Qoifflkg.exe
        
        C:\Windows\system32\Qoifflkg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        75⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Qlmgopjq.exe
        
        C:\Windows\system32\Qlmgopjq.exe
        76⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Aokcklid.exe
        
        C:\Windows\system32\Aokcklid.exe
        77⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Acgolj32.exe
        
        C:\Windows\system32\Acgolj32.exe
        78⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Ajqgidij.exe
        
        C:\Windows\system32\Ajqgidij.exe
        79⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Aqkpeopg.exe
        
        C:\Windows\system32\Aqkpeopg.exe
        80⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Ahfdjanb.exe
        
        C:\Windows\system32\Ahfdjanb.exe
        82⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        83⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ackigjmh.exe
        
        C:\Windows\system32\Ackigjmh.exe
        84⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ajeadd32.exe
        
        C:\Windows\system32\Ajeadd32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Aobilkcl.exe
        
        C:\Windows\system32\Aobilkcl.exe
        86⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        87⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Aijnep32.exe
        
        C:\Windows\system32\Aijnep32.exe
        88⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        89⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Aglnbhal.exe
        
        C:\Windows\system32\Aglnbhal.exe
        90⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Aimkjp32.exe
        
        C:\Windows\system32\Aimkjp32.exe
        91⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        92⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Bgnkhg32.exe
        
        C:\Windows\system32\Bgnkhg32.exe
        93⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Biogppeg.exe
        
        C:\Windows\system32\Biogppeg.exe
        94⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        95⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        96⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Bfchidda.exe
        
        C:\Windows\system32\Bfchidda.exe
        97⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Bqilgmdg.exe
        
        C:\Windows\system32\Bqilgmdg.exe
        99⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Bcghch32.exe
        
        C:\Windows\system32\Bcghch32.exe
        100⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        101⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        102⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        103⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Bqmeal32.exe
        
        C:\Windows\system32\Bqmeal32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        105⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Bjfjka32.exe
        
        C:\Windows\system32\Bjfjka32.exe
        106⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Cmdfgm32.exe
        
        C:\Windows\system32\Cmdfgm32.exe
        107⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ccnncgmc.exe
        
        C:\Windows\system32\Ccnncgmc.exe
        108⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        109⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Cjhfpa32.exe
        
        C:\Windows\system32\Cjhfpa32.exe
        110⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Cmfclm32.exe
        
        C:\Windows\system32\Cmfclm32.exe
        111⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Cpeohh32.exe
        
        C:\Windows\system32\Cpeohh32.exe
        112⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        113⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Cgndoeag.exe
        
        C:\Windows\system32\Cgndoeag.exe
        114⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        115⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Caghhk32.exe
        
        C:\Windows\system32\Caghhk32.exe
        116⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        117⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Gnjjfegi.exe
        
        C:\Windows\system32\Gnjjfegi.exe
        118⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        119⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        120⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Giqkkf32.exe
        
        C:\Windows\system32\Giqkkf32.exe
        121⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Gahcmd32.exe
        
        C:\Windows\system32\Gahcmd32.exe
        122⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hhbkinel.exe
        
        C:\Windows\system32\Hhbkinel.exe
        123⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Hkpheidp.exe
        
        C:\Windows\system32\Hkpheidp.exe
        124⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Hpmpnp32.exe
        
        C:\Windows\system32\Hpmpnp32.exe
        125⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        126⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        127⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        129⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        130⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        131⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Hglaej32.exe
        
        C:\Windows\system32\Hglaej32.exe
        132⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Hdpbon32.exe
        
        C:\Windows\system32\Hdpbon32.exe
        133⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Hkjjlhle.exe
        
        C:\Windows\system32\Hkjjlhle.exe
        134⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        135⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        136⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Ijogmdqm.exe
        
        C:\Windows\system32\Ijogmdqm.exe
        137⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        138⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        140⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Inmpcc32.exe
        
        C:\Windows\system32\Inmpcc32.exe
        141⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Igedlh32.exe
        
        C:\Windows\system32\Igedlh32.exe
        142⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Ijcahd32.exe
        
        C:\Windows\system32\Ijcahd32.exe
        143⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        144⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Iqmidndd.exe
        
        C:\Windows\system32\Iqmidndd.exe
        145⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        146⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        147⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Igjngh32.exe
        
        C:\Windows\system32\Igjngh32.exe
        148⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        149⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Jhijqj32.exe
        
        C:\Windows\system32\Jhijqj32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        152⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Jhlgfj32.exe
        
        C:\Windows\system32\Jhlgfj32.exe
        154⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        155⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Jbdlop32.exe
        
        C:\Windows\system32\Jbdlop32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Jhndljll.exe
        
        C:\Windows\system32\Jhndljll.exe
        157⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Jgadgf32.exe
        
        C:\Windows\system32\Jgadgf32.exe
        158⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Jjopcb32.exe
        
        C:\Windows\system32\Jjopcb32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Jqiipljg.exe
        
        C:\Windows\system32\Jqiipljg.exe
        160⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Jdedak32.exe
        
        C:\Windows\system32\Jdedak32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        162⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        163⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        164⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Jibmgi32.exe
        
        C:\Windows\system32\Jibmgi32.exe
        165⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        167⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        169⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Noeahkfc.exe
        
        C:\Windows\system32\Noeahkfc.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        171⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Nliaao32.exe
        
        C:\Windows\system32\Nliaao32.exe
        172⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        173⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        174⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        176⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Nhbolp32.exe
        
        C:\Windows\system32\Nhbolp32.exe
        177⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Nkqkhk32.exe
        
        C:\Windows\system32\Nkqkhk32.exe
        178⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        180⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        181⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Oidhlb32.exe
        
        C:\Windows\system32\Oidhlb32.exe
        182⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        183⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        184⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        185⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        186⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        187⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        188⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        189⤵
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        190⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8176
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        192⤵
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        193⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        194⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7452
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        196⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Pkhjph32.exe
        
        C:\Windows\system32\Pkhjph32.exe
        197⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        198⤵
        Drops file in System32 directory
        
        PID:7660
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        199⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Piijno32.exe
        
        C:\Windows\system32\Piijno32.exe
        200⤵
        Drops file in System32 directory
        
        PID:7800
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        202⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Qadoba32.exe
        
        C:\Windows\system32\Qadoba32.exe
        203⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        204⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        205⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Qkmdkgob.exe
        
        C:\Windows\system32\Qkmdkgob.exe
        206⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        207⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        208⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        209⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7732
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        211⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Ahcajk32.exe
        
        C:\Windows\system32\Ahcajk32.exe
        212⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        213⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        214⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        215⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        216⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        217⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Aoofle32.exe
        
        C:\Windows\system32\Aoofle32.exe
        218⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Aanbhp32.exe
        
        C:\Windows\system32\Aanbhp32.exe
        219⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        220⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        221⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Aoabad32.exe
        
        C:\Windows\system32\Aoabad32.exe
        222⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Acmobchj.exe
        
        C:\Windows\system32\Acmobchj.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        224⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Bhamkipi.exe
        
        C:\Windows\system32\Bhamkipi.exe
        226⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        227⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        228⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Bcinna32.exe
        
        C:\Windows\system32\Bcinna32.exe
        229⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        230⤵
        Modifies registry class
        
        PID:8256
        
        C:\Windows\SysWOW64\Cfigpm32.exe
        
        C:\Windows\system32\Cfigpm32.exe
        231⤵
        Modifies registry class
        
        PID:8304
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        232⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        233⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        234⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        235⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        236⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        237⤵
        Drops file in System32 directory
        
        PID:8584
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        238⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Ckpbnb32.exe
        
        C:\Windows\system32\Ckpbnb32.exe
        239⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Ccgjopal.exe
        
        C:\Windows\system32\Ccgjopal.exe
        240⤵
        Drops file in System32 directory
        
        PID:8712
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        241⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Dkbocbog.exe
        
        C:\Windows\system32\Dkbocbog.exe
        242⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8860
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        244⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Dmdhcddh.exe
        
        C:\Windows\system32\Dmdhcddh.exe
        245⤵
        Drops file in System32 directory
        
        PID:8948
        
        C:\Windows\SysWOW64\Dcnqpo32.exe
        
        C:\Windows\system32\Dcnqpo32.exe
        246⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        247⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        248⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9124
        
        C:\Windows\SysWOW64\Eiobceef.exe
        
        C:\Windows\system32\Eiobceef.exe
        250⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        251⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        252⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        253⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        254⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        255⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Ebommi32.exe
        
        C:\Windows\system32\Ebommi32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        257⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        258⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        259⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        260⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Fbcfhibj.exe
        
        C:\Windows\system32\Fbcfhibj.exe
        261⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        262⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        263⤵
        Modifies registry class
        
        PID:8900
        
        C:\Windows\SysWOW64\Fllkqn32.exe
        
        C:\Windows\system32\Fllkqn32.exe
        264⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        265⤵
        Drops file in System32 directory
        
        PID:9028
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        266⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Fibhpbea.exe
        
        C:\Windows\system32\Fibhpbea.exe
        267⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        268⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        269⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Gfheof32.exe
        
        C:\Windows\system32\Gfheof32.exe
        270⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        271⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        272⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        273⤵
        Modifies registry class
        
        PID:8564
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        274⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Glgjlm32.exe
        
        C:\Windows\system32\Glgjlm32.exe
        275⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        276⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        277⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        278⤵
        Modifies registry class
        
        PID:8888
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        279⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9104
        
        C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        281⤵
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        282⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        283⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Hdehni32.exe
        
        C:\Windows\system32\Hdehni32.exe
        284⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Hgdejd32.exe
        
        C:\Windows\system32\Hgdejd32.exe
        285⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Hgfapd32.exe
        
        C:\Windows\system32\Hgfapd32.exe
        286⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        287⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        288⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        289⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        290⤵
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        291⤵
        Modifies registry class
        
        PID:8248
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8520
        
        C:\Windows\SysWOW64\Ipmbjgpi.exe
        
        C:\Windows\system32\Ipmbjgpi.exe
        293⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Icknfcol.exe
        
        C:\Windows\system32\Icknfcol.exe
        294⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ikbfgppo.exe
        
        C:\Windows\system32\Ikbfgppo.exe
        295⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        296⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Ikdcmpnl.exe
        
        C:\Windows\system32\Ikdcmpnl.exe
        297⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        298⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        299⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        300⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        301⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        302⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        303⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        304⤵
        Modifies registry class
        
        PID:9272
        
        C:\Windows\SysWOW64\Jddnfd32.exe
        
        C:\Windows\system32\Jddnfd32.exe
        305⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        306⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        307⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        308⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        309⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        310⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Kggcnoic.exe
        
        C:\Windows\system32\Kggcnoic.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9588
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        312⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        313⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9716
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        315⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        316⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        317⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        318⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        319⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        320⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        321⤵
        Drops file in System32 directory
        
        PID:10012
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10056
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10100
        
        C:\Windows\SysWOW64\Lddgmbpb.exe
        
        C:\Windows\system32\Lddgmbpb.exe
        324⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        325⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10224
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        327⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9256
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        328⤵
        Drops file in System32 directory
        
        PID:9344
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        329⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        330⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        331⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        332⤵
        Modifies registry class
        
        PID:9640
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        333⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        334⤵
        Drops file in System32 directory
        
        PID:9772
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        335⤵
        Modifies registry class
        
        PID:9848
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        336⤵
        Modifies registry class
        
        PID:9916
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9980
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        338⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        339⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        340⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        341⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        342⤵
        Drops file in System32 directory
        
        PID:9312
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        343⤵
        Modifies registry class
        
        PID:9408
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        344⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        345⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        346⤵
        Modifies registry class
        
        PID:9816
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        347⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        348⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        349⤵
        Modifies registry class
        
        PID:10176
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        350⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        351⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        352⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        353⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        354⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        355⤵
        Modifies registry class
        
        PID:10108
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        356⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        357⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        358⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        359⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        360⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        361⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        362⤵
        Drops file in System32 directory
        
        PID:10088
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        363⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        364⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        365⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        366⤵
        Drops file in System32 directory
        
        PID:10340
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        367⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        368⤵
        Modifies registry class
        
        PID:10428
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        369⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        370⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        371⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        372⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        373⤵
        Drops file in System32 directory
        
        PID:10656
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        374⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\Amjillkj.exe
        
        C:\Windows\system32\Amjillkj.exe
        375⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        376⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10792
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        377⤵
        Modifies registry class
        
        PID:10836
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        378⤵
        Drops file in System32 directory
        
        PID:10888
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        379⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        380⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        381⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        382⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        383⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        384⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        385⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        386⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        387⤵
        Modifies registry class
        
        PID:9976
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        388⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        389⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        390⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        391⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        392⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        393⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        394⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10744
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        395⤵
        Modifies registry class
        
        PID:10820
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        396⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        397⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10956
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        398⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        399⤵
        Drops file in System32 directory
        
        PID:11088
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        400⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        401⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        402⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        403⤵
        Modifies registry class
        
        PID:10376
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        404⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10488
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        405⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        406⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        407⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        408⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        409⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        410⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        411⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        412⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        413⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        414⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        415⤵
        Modifies registry class
        
        PID:11192
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        416⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        417⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        418⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        419⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        420⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        421⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        422⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        423⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        424⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        425⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        426⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        427⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        428⤵
        Drops file in System32 directory
        
        PID:10316
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        429⤵
        Drops file in System32 directory
        
        PID:9288
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        430⤵
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        431⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        432⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        433⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        434⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        435⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        436⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        437⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        438⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        439⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        440⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        441⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        442⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        443⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        444⤵
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        445⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        446⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        447⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        448⤵
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        449⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        450⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        451⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        452⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        453⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        454⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        455⤵
        Modifies registry class
        
        PID:10828
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        456⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        457⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        458⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        459⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2408
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        460⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        461⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        462⤵
        Drops file in System32 directory
        
        PID:11312
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        463⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        464⤵
        Modifies registry class
        
        PID:11392
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        465⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        466⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11492
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        467⤵
        
        PID:11532
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        468⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        469⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        470⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        471⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        472⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        473⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        474⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        475⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        476⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        477⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        478⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        479⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        480⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12172
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        481⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12224
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        482⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        483⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        484⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        485⤵
        
        PID:11480
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        486⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        487⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        488⤵
        Drops file in System32 directory
        
        PID:11752
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        489⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        490⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        491⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11920
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        492⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        493⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        494⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        495⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        496⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11280
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        497⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        498⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        499⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        500⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        501⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        502⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        503⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5092
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        504⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        505⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        506⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12272
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        507⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        508⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        509⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        510⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        511⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        512⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        513⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        514⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        515⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        516⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        517⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        518⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        519⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        520⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        521⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        522⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        523⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        524⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        525⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12156
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        526⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        527⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        528⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        529⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        530⤵
        
        PID:772

C:\Windows\SysWOW64\Nfohgqlg.exe
C:\Windows\system32\Nfohgqlg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11916
- C:\Windows\SysWOW64\Nnfpinmi.exe
  C:\Windows\system32\Nnfpinmi.exe
  2⤵
  - Modifies registry class
  PID:11964
- - C:\Windows\SysWOW64\Nadleilm.exe
    C:\Windows\system32\Nadleilm.exe
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\Npgmpf32.exe
      C:\Windows\system32\Npgmpf32.exe
      4⤵
      PID:2752
    - - C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        5⤵
        
        PID:1548
      - C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        6⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        9⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        11⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3424
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        13⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        14⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        15⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        16⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        17⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        18⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        19⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        20⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        21⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        22⤵
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        23⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        24⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        25⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        27⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        28⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        29⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        30⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        31⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        32⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        33⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        34⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        35⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        36⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        37⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        38⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        40⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        41⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        42⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        43⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        44⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        45⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        46⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        48⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        49⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        50⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        51⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        52⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        53⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        54⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        55⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        56⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        57⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        58⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        59⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        60⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        61⤵
        Drops file in System32 directory
        
        PID:12568
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12620

C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
1⤵
PID:12656
- C:\Windows\SysWOW64\Agimkk32.exe
  C:\Windows\system32\Agimkk32.exe
  2⤵
  PID:12696
- - C:\Windows\SysWOW64\Aopemh32.exe
    C:\Windows\system32\Aopemh32.exe
    3⤵
    - Modifies registry class
    PID:12740
  - - C:\Windows\SysWOW64\Aaoaic32.exe
      C:\Windows\system32\Aaoaic32.exe
      4⤵
      Modifies registry class
      PID:12780
    - - C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        5⤵
        Drops file in System32 directory
        
        PID:12828
      - C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        6⤵
        
        PID:12876
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        7⤵
        
        PID:12924
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        8⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        9⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        10⤵
        
        PID:13076

C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
1⤵
PID:13116
- C:\Windows\SysWOW64\Bmjkic32.exe
  C:\Windows\system32\Bmjkic32.exe
  2⤵
  PID:13156
- - C:\Windows\SysWOW64\Bphgeo32.exe
    C:\Windows\system32\Bphgeo32.exe
    3⤵
    PID:13196
  - - C:\Windows\SysWOW64\Bhpofl32.exe
      C:\Windows\system32\Bhpofl32.exe
      4⤵
      PID:13232
    - - C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        5⤵
        
        PID:13280
      - C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        6⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        7⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        8⤵
        Drops file in System32 directory
        
        PID:12372
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        9⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        10⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        11⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        12⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12604
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        14⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        15⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        16⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        17⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        19⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        20⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        21⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:13036
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        24⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        25⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        26⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        27⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        28⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        30⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        31⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        32⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        33⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        34⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        35⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 416
        36⤵
        Program crash
        
        PID:12732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5928 -ip 5928
1⤵
PID:12684

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
64KB

MD5
05ec28eab84ea44ccb6c84b68eb90080

SHA1
c088650d70ca5dde644bb08a15c38d619b99a063

SHA256
bcdc559b92a0e34036dcbe8c67508e2e49d3a621c86d4a2ca575cdc2cadcec92

SHA512
4e9c4912c04c532f2be4bd2d47c2209b34411a22146c8a0f39c3cfd611abcd2fd3383a9c2c4a5ab54838f4dcb0fd1d39ef2c37c02272c6a093dbef311b73dcfc

Download Submit
C:\Windows\SysWOW64\Aonoao32.exe

Filesize
64KB

MD5
efd6d0ef2a2009a8cf178212f92d4b8a

SHA1
c14ad85fadc334ebb5e2747890a821277e1e3f22

SHA256
51cff2dd725ebfe7a65b99f8dd778e6b1cfdcb14a2da5d0137c9503f7d16dc47

SHA512
31fbac99042733905d53fa637f9432885777d06ec7c160b98b44120b23738d55cdda5678af1452fc191a06b977012670a397c4b458dd39b75fa1cca2e7a48a1f

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
64KB

MD5
4283270fda29c05995083aa852c56414

SHA1
ca51c18b72f362ff8ad045ed2b010cac8e4738a6

SHA256
1e5d72eec3c5abcf2772c12586fc1060b30bf477f6495539851a034a1ccde2a4

SHA512
2e065885ce81118a390d59f3c1100e47e487a2e25b5b2d50c4899770f56feee5af5e241c2df849dcb28992234d57e8163ba758abfec49f395cd6ac486b45b8c9

Download Submit
C:\Windows\SysWOW64\Cpeohh32.exe

Filesize
64KB

MD5
a0ab29191fb7d4cc74e98670f7318109

SHA1
c35f6e08c0eab16e463700642a15bd60a72a5378

SHA256
2cabcfe9486060f5a827627d09acf11d256d9231d431afa89152c3b60eada6ec

SHA512
11a04db46d050d532f106c1fcf83177879e37d917b2045234ec31ba0884043448a4f85ad0a0c3af861ab578fc7a01f997d0dde23c53ad345a5d71f55e1b24c05

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
9301546bf99b1f180364412ea496d2b9

SHA1
888accb79f05fb06a598f8694d08a680254f91e5

SHA256
bbb16685e4a4043542164f0e983de1c9220703eb6f3f47543d66dde3a72e9f06

SHA512
89894e347359247e3d93ffb95d94b34e6c29de640e3be3577ad32bd9c01152f6393f083d90dd9b965806215f387488fd79ea5c9f32796585734e995ed4e819fb

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
9301546bf99b1f180364412ea496d2b9

SHA1
888accb79f05fb06a598f8694d08a680254f91e5

SHA256
bbb16685e4a4043542164f0e983de1c9220703eb6f3f47543d66dde3a72e9f06

SHA512
89894e347359247e3d93ffb95d94b34e6c29de640e3be3577ad32bd9c01152f6393f083d90dd9b965806215f387488fd79ea5c9f32796585734e995ed4e819fb

Download Submit
C:\Windows\SysWOW64\Dbcmakpl.exe

Filesize
64KB

MD5
46dfde73257c1b2f5b62259c642354ab

SHA1
6d47a20ee95e5d3f9074537438d44381cc373da1

SHA256
b44fed86dd92eee9adcd9a88c18f480f4255b0620131ef558cab4169a24cf41d

SHA512
9389347472382e3ef746a9f2546787bf6dd3dacecb2cf023cdb583b66465096e7dd3ff58a6d0f7e50ea8552dec3f9d1163610c9cfeb2c3d42d84129af7d69f11

Download Submit
C:\Windows\SysWOW64\Dcnqpo32.exe

Filesize
64KB

MD5
b01df75a8c7d226d0100e20f3a2fc869

SHA1
c0c25b395b8b9a497cf1dfd02697175dff42a80a

SHA256
50e81f2a078c5783f937fd7609ac32ce3ffae60cef14bf95ef8ad2a4d3ff6a02

SHA512
ed799c3cbad27ade92738c830db08418866e0d50018a06c1cf7b07b76f5ba63ebcda06a93810acb94629b82ec9b1c4be923a18e8509c826958717ed2ff975a31

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
d0aa1eec71292949ff7d1f256c921b29

SHA1
61b636f24cd3a2b8a28437fc5fb2658b9d0d9316

SHA256
6e1b1e464659ca65811cab474284eb2bd17cb12b0e619bbe837005e9e03b30cf

SHA512
df9ada90e85a29090712322eedc282b576fb49e04e081c6729d576993f9fed943d67e354e5afe565f5b37cabe1c732764e87545b7acd8f76b391d9184a82b805

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
d0aa1eec71292949ff7d1f256c921b29

SHA1
61b636f24cd3a2b8a28437fc5fb2658b9d0d9316

SHA256
6e1b1e464659ca65811cab474284eb2bd17cb12b0e619bbe837005e9e03b30cf

SHA512
df9ada90e85a29090712322eedc282b576fb49e04e081c6729d576993f9fed943d67e354e5afe565f5b37cabe1c732764e87545b7acd8f76b391d9184a82b805

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
f0393de20d4f9a46e9cbc1895229e4d2

SHA1
a7c8cf613bb62f58721631bd6659275f6b3439e2

SHA256
86a42c5902995dceacadbba97459b9a75460211fea73189608ce9943e510fc49

SHA512
61de2ed843de51d7c8df72cea6c04f4144f5891064300778bfc082991f044299031c2d77a3eb2b54dec902cbfac520960e28c709de9bb5d5da7d2a0ee30820bb

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
f0393de20d4f9a46e9cbc1895229e4d2

SHA1
a7c8cf613bb62f58721631bd6659275f6b3439e2

SHA256
86a42c5902995dceacadbba97459b9a75460211fea73189608ce9943e510fc49

SHA512
61de2ed843de51d7c8df72cea6c04f4144f5891064300778bfc082991f044299031c2d77a3eb2b54dec902cbfac520960e28c709de9bb5d5da7d2a0ee30820bb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
e5f4ba35504d2abfda7031f5f69497e0

SHA1
af870473cba1970479837a7e77a1bda3332a0376

SHA256
8fb02da1afe00155941e047bb687cb2f585d7e0f5d4da9aacf35f8c954853611

SHA512
3570f058b39e8a454606b54a5c3d3787dbeee97196b9c678b06b2a697ab4258252bce8fd1018bc84427bb5751880cbba3dc888a4db85381f5a0e33c07c6ab552

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
e5f4ba35504d2abfda7031f5f69497e0

SHA1
af870473cba1970479837a7e77a1bda3332a0376

SHA256
8fb02da1afe00155941e047bb687cb2f585d7e0f5d4da9aacf35f8c954853611

SHA512
3570f058b39e8a454606b54a5c3d3787dbeee97196b9c678b06b2a697ab4258252bce8fd1018bc84427bb5751880cbba3dc888a4db85381f5a0e33c07c6ab552

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
b9ab307f8dd0b1f73fadb764a76a177b

SHA1
d5f50b5b519e607b6c5425898807e2a2bb3ed500

SHA256
e6ba38a08ac2936a23b76f6582f55911f2074a7e556af3568b4bec33b7e69877

SHA512
eccd9ed3403e21911cbfca8ff40b7ba3a03042da35d47affab425703d79fdb563f64aa277e28bf3900efbb7fc261c0f2dd7837e43a855cc71a8bda36d511c52a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
b9ab307f8dd0b1f73fadb764a76a177b

SHA1
d5f50b5b519e607b6c5425898807e2a2bb3ed500

SHA256
e6ba38a08ac2936a23b76f6582f55911f2074a7e556af3568b4bec33b7e69877

SHA512
eccd9ed3403e21911cbfca8ff40b7ba3a03042da35d47affab425703d79fdb563f64aa277e28bf3900efbb7fc261c0f2dd7837e43a855cc71a8bda36d511c52a

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
545aa3e89f7d19d013469d0a5293a3a5

SHA1
40b6bc55297ad29f543d20fb3b44d8a9c16ba872

SHA256
54cb29c5834c276c926f5cda13817548e8910e9b70b5cd8ed4167b8be9ebf435

SHA512
6d214d76595696eeaaad493dd8f4fa20e09eb9da8c542b406c64e1e559f58e15304182f33df9a0b04a4787e0a05af718262e371d66163f8da9330a2e9b85cf40

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
545aa3e89f7d19d013469d0a5293a3a5

SHA1
40b6bc55297ad29f543d20fb3b44d8a9c16ba872

SHA256
54cb29c5834c276c926f5cda13817548e8910e9b70b5cd8ed4167b8be9ebf435

SHA512
6d214d76595696eeaaad493dd8f4fa20e09eb9da8c542b406c64e1e559f58e15304182f33df9a0b04a4787e0a05af718262e371d66163f8da9330a2e9b85cf40

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
e6d63953ad36195b99cb6e70d4353ed7

SHA1
fdcbec5b5447651f454419d6691a8c3bb9b6f11d

SHA256
1358d4eed7fea019507b0787988a3c76a1bf74d3e3628f3cdaf24f042867792c

SHA512
eba0186a98e936dea2a9af9c9202451554abbc938e879cab525fc1b7f3297342b618a0e316c6c323e4e71485ebcf85a131637160370be710c9e4e04e3deab7a0

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
e6d63953ad36195b99cb6e70d4353ed7

SHA1
fdcbec5b5447651f454419d6691a8c3bb9b6f11d

SHA256
1358d4eed7fea019507b0787988a3c76a1bf74d3e3628f3cdaf24f042867792c

SHA512
eba0186a98e936dea2a9af9c9202451554abbc938e879cab525fc1b7f3297342b618a0e316c6c323e4e71485ebcf85a131637160370be710c9e4e04e3deab7a0

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
0f81b8cc93719147e17ddd97d5f59749

SHA1
f06e7f3c94f64981ba81ad8e644cffcc09256233

SHA256
b416cb4383e093d0488017119b6afb864eae4f7071db5ae73e8533b57fcdfc0b

SHA512
6eedd9cf8f086027cd3e5f938d731c71c4fa7599cfd5e3941cf5c07d3e71d04b342b0d55b14954abed8be32199fc6cccab17513c5a74a9ed4dbb4512f3ff96fd

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
0f81b8cc93719147e17ddd97d5f59749

SHA1
f06e7f3c94f64981ba81ad8e644cffcc09256233

SHA256
b416cb4383e093d0488017119b6afb864eae4f7071db5ae73e8533b57fcdfc0b

SHA512
6eedd9cf8f086027cd3e5f938d731c71c4fa7599cfd5e3941cf5c07d3e71d04b342b0d55b14954abed8be32199fc6cccab17513c5a74a9ed4dbb4512f3ff96fd

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
64KB

MD5
26c0f450eb5dd7a7018cbcd574e6ebb9

SHA1
7390661701f2236bc43abbf4622ffa6533159f06

SHA256
76b9d5ed78d1a22b4989b5fcbf456c4675e27150429a91ea55535d615b1e8fd7

SHA512
7b3d2d1b76afd60bb42f6e67c5e9f66c4d874ed07e0d7477c61580211379475dc4f5d03bcdf961a89e744a54655b3375137a6bd76eb99b7ab7050a2dc6eb70ce

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
64KB

MD5
26c0f450eb5dd7a7018cbcd574e6ebb9

SHA1
7390661701f2236bc43abbf4622ffa6533159f06

SHA256
76b9d5ed78d1a22b4989b5fcbf456c4675e27150429a91ea55535d615b1e8fd7

SHA512
7b3d2d1b76afd60bb42f6e67c5e9f66c4d874ed07e0d7477c61580211379475dc4f5d03bcdf961a89e744a54655b3375137a6bd76eb99b7ab7050a2dc6eb70ce

Download Submit
C:\Windows\SysWOW64\Eaakpm32.exe

Filesize
64KB

MD5
24311e927e58a14c4e5e781fc78eddd7

SHA1
f75afb2e76b81b07efbae826903d3eaa366dac79

SHA256
512387e409cec7d089d7cf54a51b02cc5e03cfc5fac88719e7f8849e6feeb7d4

SHA512
2e8e759a80b12ce4fe4026df8822b8cd36f9f83ec75b652347dc2f4c7e95324544a4a15129d9d5a081e6172e1c4486640d3fd466cdaff167f6bd12542ebd1d98

Download Submit
C:\Windows\SysWOW64\Eaakpm32.exe

Filesize
64KB

MD5
24311e927e58a14c4e5e781fc78eddd7

SHA1
f75afb2e76b81b07efbae826903d3eaa366dac79

SHA256
512387e409cec7d089d7cf54a51b02cc5e03cfc5fac88719e7f8849e6feeb7d4

SHA512
2e8e759a80b12ce4fe4026df8822b8cd36f9f83ec75b652347dc2f4c7e95324544a4a15129d9d5a081e6172e1c4486640d3fd466cdaff167f6bd12542ebd1d98

Download Submit
C:\Windows\SysWOW64\Eachem32.exe

Filesize
64KB

MD5
f274bb35fb034d213fd633b07c70a0bf

SHA1
3653bc974119a3d02e2aa3dc0edf6fdcf077c270

SHA256
f638364ee3018ee01ca519881dfc821ca46cd2b76b161234fcde1fb3822d3124

SHA512
a839b57eb0db5772047929ce4737d75608d6655827748517cb4332f1fd0a36ae6faca02090868b40118489d0be74ac75637a2765b481d773b332026a5baef698

Download Submit
C:\Windows\SysWOW64\Eachem32.exe

Filesize
64KB

MD5
f274bb35fb034d213fd633b07c70a0bf

SHA1
3653bc974119a3d02e2aa3dc0edf6fdcf077c270

SHA256
f638364ee3018ee01ca519881dfc821ca46cd2b76b161234fcde1fb3822d3124

SHA512
a839b57eb0db5772047929ce4737d75608d6655827748517cb4332f1fd0a36ae6faca02090868b40118489d0be74ac75637a2765b481d773b332026a5baef698

Download Submit
C:\Windows\SysWOW64\Eglgbdep.exe

Filesize
64KB

MD5
3e13857d3a0662fe356f86ecda799423

SHA1
740aa84e7e1198255569618524822656e9d4173e

SHA256
156174dd25d13650c7f604e719b74a0d8e5d2b33cca7adce1280ead11c5139f6

SHA512
00ef5cc54b9bb0e155d1efb6be6aafdde7c7a6d4ed767fc5276f0dc085624f33a72903bb15f0591b2dd6e785e4323b5d7e3032ad6e629784b044ff6e1d101799

Download Submit
C:\Windows\SysWOW64\Eglgbdep.exe

Filesize
64KB

MD5
3e13857d3a0662fe356f86ecda799423

SHA1
740aa84e7e1198255569618524822656e9d4173e

SHA256
156174dd25d13650c7f604e719b74a0d8e5d2b33cca7adce1280ead11c5139f6

SHA512
00ef5cc54b9bb0e155d1efb6be6aafdde7c7a6d4ed767fc5276f0dc085624f33a72903bb15f0591b2dd6e785e4323b5d7e3032ad6e629784b044ff6e1d101799

Download Submit
C:\Windows\SysWOW64\Ehapfiem.exe

Filesize
64KB

MD5
001f7225d885d20813fb61cda24ca2ed

SHA1
11dcf4cb2c57863d94320506f70c460c847c8491

SHA256
4eb727bf68322a792c5f5e4e9da9c594935157443d0e97d172b7812dac873f23

SHA512
cd761481983fc6721ebd525124cfe9ae0f93b776a60771d58dc38f6dd137c398d35330d351b875e21d46e4bef589bb251be0719854015710d5ea8ec3532a4d16

Download Submit
C:\Windows\SysWOW64\Ehapfiem.exe

Filesize
64KB

MD5
001f7225d885d20813fb61cda24ca2ed

SHA1
11dcf4cb2c57863d94320506f70c460c847c8491

SHA256
4eb727bf68322a792c5f5e4e9da9c594935157443d0e97d172b7812dac873f23

SHA512
cd761481983fc6721ebd525124cfe9ae0f93b776a60771d58dc38f6dd137c398d35330d351b875e21d46e4bef589bb251be0719854015710d5ea8ec3532a4d16

Download Submit
C:\Windows\SysWOW64\Ekiohclf.exe

Filesize
64KB

MD5
416afa749de99dbd100ac9c875f2e98c

SHA1
b2ed3b5ab89a4584e13786dde4763ed7db5c8286

SHA256
dd9745a986d124f2a493f22df8e35e12f89d12e9a6fa36afc5af9417d20ed33b

SHA512
0cd3db501bb5976e2a0e364d7a140d6fd529ad391b039ecdccc89b7c8cb0aa9ce34fff81cd0db3bfcc24d96457f229f1ac5f3a598d4db2f12992b6ad4000d0b0

Download Submit
C:\Windows\SysWOW64\Ekiohclf.exe

Filesize
64KB

MD5
416afa749de99dbd100ac9c875f2e98c

SHA1
b2ed3b5ab89a4584e13786dde4763ed7db5c8286

SHA256
dd9745a986d124f2a493f22df8e35e12f89d12e9a6fa36afc5af9417d20ed33b

SHA512
0cd3db501bb5976e2a0e364d7a140d6fd529ad391b039ecdccc89b7c8cb0aa9ce34fff81cd0db3bfcc24d96457f229f1ac5f3a598d4db2f12992b6ad4000d0b0

Download Submit
C:\Windows\SysWOW64\Emoinpcd.exe

Filesize
64KB

MD5
96cc69e53210dd45a8bf5147d5fa5767

SHA1
a66cc31d83f9a89476710e2408bdfb5fa3fa3f03

SHA256
45257355290ecdeb05b9c8573f453bd031385eb73028aaab63ddb1353f379de1

SHA512
90021b75e8e25848cc000e31c49a0569397e9582a61f4d055a4258085fd89264b3b8de96b9b043eca893f1da46d1b953f8291b14350020869655c024f533c3c3

Download Submit
C:\Windows\SysWOW64\Emoinpcd.exe

Filesize
64KB

MD5
96cc69e53210dd45a8bf5147d5fa5767

SHA1
a66cc31d83f9a89476710e2408bdfb5fa3fa3f03

SHA256
45257355290ecdeb05b9c8573f453bd031385eb73028aaab63ddb1353f379de1

SHA512
90021b75e8e25848cc000e31c49a0569397e9582a61f4d055a4258085fd89264b3b8de96b9b043eca893f1da46d1b953f8291b14350020869655c024f533c3c3

Download Submit
C:\Windows\SysWOW64\Fafdkmap.exe

Filesize
64KB

MD5
a43212e41d078d690aa5049dfed43f79

SHA1
da4c21e9ce0a73bc51d1f9827083cdf364c910bf

SHA256
2842233a13cd67a587254dfe616c8f1f1b4ea0cd1f6f7deccefa5f85b284d59d

SHA512
32ff994bce162bd2303f48b1a43ba861207be3772c5e349859b477d3568331536beadb4fc085b6f4795ec2c84c07bf4cd42af884d858bc447dcf79c87ee2d19a

Download Submit
C:\Windows\SysWOW64\Fafdkmap.exe

Filesize
64KB

MD5
a43212e41d078d690aa5049dfed43f79

SHA1
da4c21e9ce0a73bc51d1f9827083cdf364c910bf

SHA256
2842233a13cd67a587254dfe616c8f1f1b4ea0cd1f6f7deccefa5f85b284d59d

SHA512
32ff994bce162bd2303f48b1a43ba861207be3772c5e349859b477d3568331536beadb4fc085b6f4795ec2c84c07bf4cd42af884d858bc447dcf79c87ee2d19a

Download Submit
C:\Windows\SysWOW64\Fahaplon.exe

Filesize
64KB

MD5
d44d47e128de9ee0b43a268f98c63b76

SHA1
44fc93b2ad96af46e863ffa214131a10a0f32358

SHA256
f95d2d8512c1958feb2b453bebfd334da75e3d31810f17c534a2a44adb8f4580

SHA512
92cfe4bcc76bf2247d0dc15d056ab4db5273f54812793f0a433b765a7274f3f8ee4d62806797b1e32e06fe7cfa22255b80d6467c497f4881f2135fc3a89f50f1

Download Submit
C:\Windows\SysWOW64\Fahaplon.exe

Filesize
64KB

MD5
d44d47e128de9ee0b43a268f98c63b76

SHA1
44fc93b2ad96af46e863ffa214131a10a0f32358

SHA256
f95d2d8512c1958feb2b453bebfd334da75e3d31810f17c534a2a44adb8f4580

SHA512
92cfe4bcc76bf2247d0dc15d056ab4db5273f54812793f0a433b765a7274f3f8ee4d62806797b1e32e06fe7cfa22255b80d6467c497f4881f2135fc3a89f50f1

Download Submit
C:\Windows\SysWOW64\Fdfmlhna.exe

Filesize
64KB

MD5
94e4fff315c278ac44c5352d6ff03ea2

SHA1
bce02e2d970c4f825293b2ab1eb13c5256af1bf4

SHA256
b2c0c6786c51b6d0fc221ea1597facb9a45e0c1f2f796d831b6e6eb63131b092

SHA512
211bd0df7cdf0eeaf80d5372ab7e911d660bb6c78cc1035dae843c0267a1e10fedd6153afcd6d67db1fcc5bd78ca0d9c5a94a9cd6bff2e81161f52f5137e368d

Download Submit
C:\Windows\SysWOW64\Fdfmlhna.exe

Filesize
64KB

MD5
94e4fff315c278ac44c5352d6ff03ea2

SHA1
bce02e2d970c4f825293b2ab1eb13c5256af1bf4

SHA256
b2c0c6786c51b6d0fc221ea1597facb9a45e0c1f2f796d831b6e6eb63131b092

SHA512
211bd0df7cdf0eeaf80d5372ab7e911d660bb6c78cc1035dae843c0267a1e10fedd6153afcd6d67db1fcc5bd78ca0d9c5a94a9cd6bff2e81161f52f5137e368d

Download Submit
C:\Windows\SysWOW64\Fefjfked.exe

Filesize
64KB

MD5
b6f23eba39149dbb8f55200287f67aac

SHA1
26f5e751c0675aca8424e6f40ded0cf32b7b27f9

SHA256
f58b0948bdab3b5da103c9c9819ecce4383db97a92a551218baaf5690e0e799e

SHA512
e89b22243c159897e59d87f7e500e7fa2021fb237aa99f058493dd0a67b13c25e93b505aacfd3bb36413ce517f4c81679ca2cff4450fdc9ba08d91746274b0d9

Download Submit
C:\Windows\SysWOW64\Fefjfked.exe

Filesize
64KB

MD5
b6f23eba39149dbb8f55200287f67aac

SHA1
26f5e751c0675aca8424e6f40ded0cf32b7b27f9

SHA256
f58b0948bdab3b5da103c9c9819ecce4383db97a92a551218baaf5690e0e799e

SHA512
e89b22243c159897e59d87f7e500e7fa2021fb237aa99f058493dd0a67b13c25e93b505aacfd3bb36413ce517f4c81679ca2cff4450fdc9ba08d91746274b0d9

Download Submit
C:\Windows\SysWOW64\Fggfnc32.exe

Filesize
64KB

MD5
bc789417f629c96990a17b512d6e24ad

SHA1
890dc05205cd8533de5ec9427f856def16795426

SHA256
ef2a230bf323d74453f09754559dee4dee3f1fa8019290f235a73d31f40bbc1b

SHA512
18cde4527eea0eb56599d6f144a5d3dd448ceea39ad054868159649692c8d10ad83711b84585935e3bc6365efcb9ac4683241d64209f0205efc344316bd86102

Download Submit
C:\Windows\SysWOW64\Fggfnc32.exe

Filesize
64KB

MD5
bc789417f629c96990a17b512d6e24ad

SHA1
890dc05205cd8533de5ec9427f856def16795426

SHA256
ef2a230bf323d74453f09754559dee4dee3f1fa8019290f235a73d31f40bbc1b

SHA512
18cde4527eea0eb56599d6f144a5d3dd448ceea39ad054868159649692c8d10ad83711b84585935e3bc6365efcb9ac4683241d64209f0205efc344316bd86102

Download Submit
C:\Windows\SysWOW64\Fgppmd32.exe

Filesize
64KB

MD5
91716971f543b7ae301aaa6b0ab34dcc

SHA1
58c728efc4746276b2cdeec3760dd1df8b423c8d

SHA256
bc11e9da4242c307f883313c30201bc9329477b4acbd4b19f81c81d7ec9df690

SHA512
e9405ba9077d186f11805bbf3761500190bfc6641ba4aeab50649161414282e7077aa9d6250d52e5b1d0b18b52adaf9c0abcba03a2b5af61250b41eb48868dbc

Download Submit
C:\Windows\SysWOW64\Fgppmd32.exe

Filesize
64KB

MD5
91716971f543b7ae301aaa6b0ab34dcc

SHA1
58c728efc4746276b2cdeec3760dd1df8b423c8d

SHA256
bc11e9da4242c307f883313c30201bc9329477b4acbd4b19f81c81d7ec9df690

SHA512
e9405ba9077d186f11805bbf3761500190bfc6641ba4aeab50649161414282e7077aa9d6250d52e5b1d0b18b52adaf9c0abcba03a2b5af61250b41eb48868dbc

Download Submit
C:\Windows\SysWOW64\Fhpmgg32.exe

Filesize
64KB

MD5
0eb64e5d9d10bb3ae144dfc82b20bb55

SHA1
a367c9b2d7cf2f70466e3b25d746fd15fe55decb

SHA256
a70c832dfd5ff7648099354c082a5f5e6e45e15ed202671a4873d31855044caf

SHA512
cfa3597f1b38918e805fa6faaeeef814964805b4921d5b8b8f474094fdb1ee729ca5123ddfe2715a49f511ae6506923b6f39e8bcd74b5cfdab4cdf2eedc6217b

Download Submit
C:\Windows\SysWOW64\Fhpmgg32.exe

Filesize
64KB

MD5
0eb64e5d9d10bb3ae144dfc82b20bb55

SHA1
a367c9b2d7cf2f70466e3b25d746fd15fe55decb

SHA256
a70c832dfd5ff7648099354c082a5f5e6e45e15ed202671a4873d31855044caf

SHA512
cfa3597f1b38918e805fa6faaeeef814964805b4921d5b8b8f474094fdb1ee729ca5123ddfe2715a49f511ae6506923b6f39e8bcd74b5cfdab4cdf2eedc6217b

Download Submit
C:\Windows\SysWOW64\Fkeodaai.exe

Filesize
64KB

MD5
20e3c5a1a3f625fdacaabdb9cfc7aa94

SHA1
436931440b9096d926fef766c3ec48646b6d85c9

SHA256
c02597a1323c98c45ebd0106ecd781274de7ec5aaf2b10c454498609fdefc484

SHA512
8161ccce6577f05996f23cf17a08d387ee7e0b5bcdc7e99fd80610ee67e3496fb7373b2b5c24c3fd71b0512d211ffeb6ead9253f4a6ebd4b628dd99e98192bf4

Download Submit
C:\Windows\SysWOW64\Fkeodaai.exe

Filesize
64KB

MD5
20e3c5a1a3f625fdacaabdb9cfc7aa94

SHA1
436931440b9096d926fef766c3ec48646b6d85c9

SHA256
c02597a1323c98c45ebd0106ecd781274de7ec5aaf2b10c454498609fdefc484

SHA512
8161ccce6577f05996f23cf17a08d387ee7e0b5bcdc7e99fd80610ee67e3496fb7373b2b5c24c3fd71b0512d211ffeb6ead9253f4a6ebd4b628dd99e98192bf4

Download Submit
C:\Windows\SysWOW64\Fnaokmco.exe

Filesize
64KB

MD5
76509eeb98f33fa76fe265b8acb9e9c0

SHA1
ac4085dc2b3a86be92bc23f30ef3d34e816301ca

SHA256
a811c7254203bf2d768b38b7bf837ddf6fd3eac28f29294266a1256ebc700990

SHA512
1b0c8352613937f78d3cdd41321a98fe1b8244be0bca10f5245b1067031721f08cea1b489ae8d583b640d346815c726880ed6a7f0cf03dd508130f9e241faf80

Download Submit
C:\Windows\SysWOW64\Fnaokmco.exe

Filesize
64KB

MD5
76509eeb98f33fa76fe265b8acb9e9c0

SHA1
ac4085dc2b3a86be92bc23f30ef3d34e816301ca

SHA256
a811c7254203bf2d768b38b7bf837ddf6fd3eac28f29294266a1256ebc700990

SHA512
1b0c8352613937f78d3cdd41321a98fe1b8244be0bca10f5245b1067031721f08cea1b489ae8d583b640d346815c726880ed6a7f0cf03dd508130f9e241faf80

Download Submit
C:\Windows\SysWOW64\Folaiqng.exe

Filesize
64KB

MD5
4e6360e6179b5637530cb075cae0307f

SHA1
3671afb3aea43a246912038f769bd2c7a1020daa

SHA256
e0986cdf2a8c7f63604e914239c10db528ea5e15634c293f5adcd10982895d24

SHA512
54fa8f66a2fb3ed4798aab43c04c882272d9d56b9ca3df97665fcf121638da6a28245880168bae6f6748bfec086cc87f0b90918eae8a8371cee42422ac0dca1a

Download Submit
C:\Windows\SysWOW64\Folaiqng.exe

Filesize
64KB

MD5
4e6360e6179b5637530cb075cae0307f

SHA1
3671afb3aea43a246912038f769bd2c7a1020daa

SHA256
e0986cdf2a8c7f63604e914239c10db528ea5e15634c293f5adcd10982895d24

SHA512
54fa8f66a2fb3ed4798aab43c04c882272d9d56b9ca3df97665fcf121638da6a28245880168bae6f6748bfec086cc87f0b90918eae8a8371cee42422ac0dca1a

Download Submit
C:\Windows\SysWOW64\Gadqlkep.exe

Filesize
64KB

MD5
378372c3864b856bb72a09ff5561c6d4

SHA1
f74993853afa5d0d791efc298069291a91c3c19f

SHA256
fefd22a0498f6a0470763e951c38f495a88d554ccb18c9e7e835d6ff1a34ad63

SHA512
d3463cf8afab378f23bc884cf23447a7690d768a43c00fca9c5be5a0a11b3c0ca8fb0d855576a42ea9a535d4afc6f0985838d1cd3ade8aabf13ff3a1cc778701

Download Submit
C:\Windows\SysWOW64\Gadqlkep.exe

Filesize
64KB

MD5
378372c3864b856bb72a09ff5561c6d4

SHA1
f74993853afa5d0d791efc298069291a91c3c19f

SHA256
fefd22a0498f6a0470763e951c38f495a88d554ccb18c9e7e835d6ff1a34ad63

SHA512
d3463cf8afab378f23bc884cf23447a7690d768a43c00fca9c5be5a0a11b3c0ca8fb0d855576a42ea9a535d4afc6f0985838d1cd3ade8aabf13ff3a1cc778701

Download Submit
C:\Windows\SysWOW64\Gdncmghi.exe

Filesize
64KB

MD5
4121b1c72c4cffd33d7b27071a348ab8

SHA1
2e78253b83962112e87b99cde1f5020c8a34c3b4

SHA256
74ff88f9af2e3255f66a5cd7523205900be05a1207ef54fa67d7b658531ec506

SHA512
077a94bfe5cfe05cc177470e904c91eb7a9809180ff6f246a124705a2931836cc3bed1a2b846ec268e129671c4a54da0aabc229472674ca41871847c07d8c0b8

Download Submit
C:\Windows\SysWOW64\Gdncmghi.exe

Filesize
64KB

MD5
4121b1c72c4cffd33d7b27071a348ab8

SHA1
2e78253b83962112e87b99cde1f5020c8a34c3b4

SHA256
74ff88f9af2e3255f66a5cd7523205900be05a1207ef54fa67d7b658531ec506

SHA512
077a94bfe5cfe05cc177470e904c91eb7a9809180ff6f246a124705a2931836cc3bed1a2b846ec268e129671c4a54da0aabc229472674ca41871847c07d8c0b8

Download Submit
C:\Windows\SysWOW64\Gdppbfff.exe

Filesize
64KB

MD5
56033a04c875642d3c36997b391e1cc7

SHA1
e249c5bb1e7bcdc453f41ac10ee80ae75a193258

SHA256
460ee2db0279980f8e0efa398dd61b5d727ff72180a943936e0df5bc2beb512f

SHA512
e7199349e67358cc872bc51ae59cf9e80a5ebd21fef3b864622543ea21dd0fabccb59d76a15ef5faeb41e4c854c5ca02defbde1481075d0c86415ac46c2b867a

Download Submit
C:\Windows\SysWOW64\Gdppbfff.exe

Filesize
64KB

MD5
56033a04c875642d3c36997b391e1cc7

SHA1
e249c5bb1e7bcdc453f41ac10ee80ae75a193258

SHA256
460ee2db0279980f8e0efa398dd61b5d727ff72180a943936e0df5bc2beb512f

SHA512
e7199349e67358cc872bc51ae59cf9e80a5ebd21fef3b864622543ea21dd0fabccb59d76a15ef5faeb41e4c854c5ca02defbde1481075d0c86415ac46c2b867a

Download Submit
C:\Windows\SysWOW64\Gdppbfff.exe

Filesize
64KB

MD5
56033a04c875642d3c36997b391e1cc7

SHA1
e249c5bb1e7bcdc453f41ac10ee80ae75a193258

SHA256
460ee2db0279980f8e0efa398dd61b5d727ff72180a943936e0df5bc2beb512f

SHA512
e7199349e67358cc872bc51ae59cf9e80a5ebd21fef3b864622543ea21dd0fabccb59d76a15ef5faeb41e4c854c5ca02defbde1481075d0c86415ac46c2b867a

Download Submit
C:\Windows\SysWOW64\Ggcfja32.exe

Filesize
64KB

MD5
60f4e600c6382083c270b4501030a71a

SHA1
34f6d2a54ba1dba78861c2f0bde0ec05bcd0362e

SHA256
3533dec3eeb3321caa93cb19446e32c9a8fe98f1bf69f08aedd3e0414c65d935

SHA512
d797f7b59d223591e67b1f6277d0a4327bd80432f36cf2414192190226622093e81c5b680d7195c8a16b5648e27c030768392c66ca91cfb88bdba5f1c50df134

Download Submit
C:\Windows\SysWOW64\Ggcfja32.exe

Filesize
64KB

MD5
60f4e600c6382083c270b4501030a71a

SHA1
34f6d2a54ba1dba78861c2f0bde0ec05bcd0362e

SHA256
3533dec3eeb3321caa93cb19446e32c9a8fe98f1bf69f08aedd3e0414c65d935

SHA512
d797f7b59d223591e67b1f6277d0a4327bd80432f36cf2414192190226622093e81c5b680d7195c8a16b5648e27c030768392c66ca91cfb88bdba5f1c50df134

Download Submit
C:\Windows\SysWOW64\Gkjhoq32.exe

Filesize
64KB

MD5
a95bee494ca05f4ea3d18ca198f0ce17

SHA1
8541a7c4f056cfcb67c673f051bf5eb44140816c

SHA256
c8af47209b6cef42326cddb34116601c2ce2175e87971f0e2a73a883b80e772f

SHA512
30d13e5de2aa9ff7e7aa62fb8a20b06b9aa6ffe0a9024b421a24783485a1e3237961c0331b0bdc8b91ef539afeded3e0cce6a2f21c341b24934c9839eb86608c

Download Submit
C:\Windows\SysWOW64\Gkjhoq32.exe

Filesize
64KB

MD5
a95bee494ca05f4ea3d18ca198f0ce17

SHA1
8541a7c4f056cfcb67c673f051bf5eb44140816c

SHA256
c8af47209b6cef42326cddb34116601c2ce2175e87971f0e2a73a883b80e772f

SHA512
30d13e5de2aa9ff7e7aa62fb8a20b06b9aa6ffe0a9024b421a24783485a1e3237961c0331b0bdc8b91ef539afeded3e0cce6a2f21c341b24934c9839eb86608c

Download Submit
C:\Windows\SysWOW64\Gochjpho.exe

Filesize
64KB

MD5
4ec2b6fc24e4a4499a1e7b3448cee757

SHA1
288a3dbf1c6705d9f9133c6b9c302e91d7113891

SHA256
a2456b3652927c343c446829238d2537cfddc1a997b22e10551c66e2842fa28d

SHA512
bba610caee06dbf64596a116cd3fc561127deb1646baf12f54fb0d7094cdb3e0ed8a64136810de560218caac0021414ca5718e63364d096f9266fabc1da57230

Download Submit
C:\Windows\SysWOW64\Gochjpho.exe

Filesize
64KB

MD5
4ec2b6fc24e4a4499a1e7b3448cee757

SHA1
288a3dbf1c6705d9f9133c6b9c302e91d7113891

SHA256
a2456b3652927c343c446829238d2537cfddc1a997b22e10551c66e2842fa28d

SHA512
bba610caee06dbf64596a116cd3fc561127deb1646baf12f54fb0d7094cdb3e0ed8a64136810de560218caac0021414ca5718e63364d096f9266fabc1da57230

Download Submit
C:\Windows\SysWOW64\Gohaeo32.exe

Filesize
64KB

MD5
21eacae603a69e19fef989db860032bf

SHA1
31586edd4b7b1882aed35f2e055ac81f4263fc62

SHA256
08b2acf79683200026f0ab8ea0cf3899f07c9aad9655bc431b3e7797905004f7

SHA512
34bfdf1b87cf2f2047c1193e4b716e56ec5cc2766c7b05f40e68570082064a502611b138d5da0a6385b2b5eef4bed6ce2322012d2be2f27449cbbf8694615353

Download Submit
C:\Windows\SysWOW64\Gohaeo32.exe

Filesize
64KB

MD5
21eacae603a69e19fef989db860032bf

SHA1
31586edd4b7b1882aed35f2e055ac81f4263fc62

SHA256
08b2acf79683200026f0ab8ea0cf3899f07c9aad9655bc431b3e7797905004f7

SHA512
34bfdf1b87cf2f2047c1193e4b716e56ec5cc2766c7b05f40e68570082064a502611b138d5da0a6385b2b5eef4bed6ce2322012d2be2f27449cbbf8694615353

Download Submit
C:\Windows\SysWOW64\Goljqnpd.exe

Filesize
64KB

MD5
24cb96d25b956d9044d3d2523e3c143c

SHA1
109c3f9159da0324e49baaade3546c3875a5e8a0

SHA256
02d1863aac06a1d397ece46d5c001ce1dd7a2e3515b499ace9cb03075debe25e

SHA512
c0f0a4cf2fcde89e373de202167737cc033df2d68535f762ec820e11c19efd94a3a3c5ef9cfc41b9cd5e70b17581823249e9aa1eca24d2de27f0b1e4fe2f0880

Download Submit
C:\Windows\SysWOW64\Hgdejd32.exe

Filesize
64KB

MD5
5b7b454f3fc7bb24288618ee46ae799f

SHA1
35de7cd7fe16b2715b006e7d426f2f4bb04469a2

SHA256
4104362871a75cd99faecb6eb942ba146e973d95b0833f4ab2059c7a54788d35

SHA512
65ab6daea7646e5bbc8a43f17d49a37ac34f6d527c80df9b0d0559185a55769673f972b4a1df358ddfdff5a0792203bc513b5b715789723d7b583aeabb78c38e

Download Submit
C:\Windows\SysWOW64\Higjaoci.exe

Filesize
64KB

MD5
4a72245feaa4acf8d28875824eca99e6

SHA1
e6be0040bed6f2089fa38d995b0693296c2a23a4

SHA256
8474ab37a24b93239622303e3ac4f82df8a27ace5343eb4c2d4c36528294a985

SHA512
136cbd7298fcc66a8964b54701fc502db04bfb45ff00cb1ae5e2d21ea17566ab89d792be2be2426712a94a2b97a0eaab3edf93ad888dcc059cfa4a19553a1042

Download Submit
C:\Windows\SysWOW64\Kjlopc32.exe

Filesize
64KB

MD5
17d103b7d3f698ddb17d0f5b9c06aeb1

SHA1
585b4dbf462572ed62b97da1337ae67023ebfa62

SHA256
72dae7bd84a6a55dfab3ef8743f5748cabb277d419578d7ee5442ee7ac7c63e5

SHA512
a88567583d4b9f8640b5dd617fc88634125fef00b7d4eb9377fe079bae01d2143f907b7b4cf19176daa52042c7547cbf83496a864c024d4405d9a826c94a1638

Download Submit
C:\Windows\SysWOW64\Kkcfid32.exe

Filesize
64KB

MD5
042b480a035a68ef0536ebe1831bfc3e

SHA1
9ccaa95054aff33053f5b4b9b27e15f938476c60

SHA256
9a43bc415376bd3ac9d67cf5d0cd1a4a1c8bd096e3f557ec8099117bc4b7e0d7

SHA512
97fdf18d1e4108194c72c0dbfd8a4a3e81df446f2e4b23ca8cb300c3dc28f15263f8df232de1bbe3258f18961514c9d913224a567d1291b3b6de3cd69d3a9bb2

Download Submit
C:\Windows\SysWOW64\Lddgmbpb.exe

Filesize
64KB

MD5
5717f9cf19bd3958dcfeaefaaf0ffd16

SHA1
9c6aff6ec46214290c364283abf251336fc532f8

SHA256
92161e9cc9696939b045949b0d251aa463ea46bc45ed88f7dd35599fe8fe14b0

SHA512
0a1b6d7589d8de604a29d6bfa5662358d0baa145083d7b16ac7f5077db6e6708f046499c0f76641c41925f207a13ece80c8129d52befb1a6949956840f5b0a6e

Download Submit
C:\Windows\SysWOW64\Mfjcnold.exe

Filesize
64KB

MD5
3096c596f979b7670b997c60e30a1b38

SHA1
e56d2a420bf2516305ff2ab6d5fb106473636058

SHA256
769c2a908214cfded9d6d85d1bda22157d09a69b95f056fb32382a31ad8c85ba

SHA512
e68b457980b924ce2977945c247bf9757567522f0e55b48fab1f4e9b68a46cb3a0448e6691f3ffd8862e0d821d81ebac6af03455f59072b386baa3988e1e4c35

Download Submit
C:\Windows\SysWOW64\Nlcalieg.exe

Filesize
64KB

MD5
e8c2bff752d66d7294a35492b7165e51

SHA1
e6352e117fa45ada95605c084f105e037dc56625

SHA256
0245153e2b3e9b066bdd59f297508f0e7fc32537535f96d8a3b279ba5ea5e15b

SHA512
3103aa970e6c7024e22dac4081963573c168fa35ab64ad9c16ec6f0209ac37d82c200bde19983ef69914d016508a11d8189c0ee08bd99e7294442382911a528d

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
64KB

MD5
21fc9822f8f1fb89119765ca4a7ed8dc

SHA1
4f957254e4397d3b63b0765ac9dfb1158192243e

SHA256
56bfc95820d24a74ae384d1660be8c092a4aaefb42f1ffa84f49e39395060aa6

SHA512
ad7fc42b258abcc61aba7151a00fdeb96ec97c408f3d8e16ce0a0af5b8ca1dc9443dcc50eeccf6790ba5c3c36417569c4893f2688f0efaabe78986ae4f1bebcc

Download Submit
C:\Windows\SysWOW64\Oeheqm32.exe

Filesize
64KB

MD5
503af8c32dd53447ab0ad41094b043df

SHA1
4c1413256dccfbc5f08514c3a914fe2ee1dc0231

SHA256
f7ab4b4e89180a85d038bc98053b1b23271ea2ad939f2f8bf41df56dc018c289

SHA512
9db709f7592a52ec953c9cdbb18bc240611a12b317f216994cf6cff24e4f5bedc03769fcf6ad8bfec01ce264975b884252e2dd83ed26467fce4e039c7f2c9aa5

Download Submit
C:\Windows\SysWOW64\Ojgjndno.exe

Filesize
64KB

MD5
2f9641157d247cf4550addd6f94c3cf1

SHA1
0f0f64847f589f527b39eb6937a39e8919bf540e

SHA256
6cbe62e173e0f07a8188007bc1a83ad01db2b1dfd9fcd46db8efcb499cae76fd

SHA512
5d63140a8756b76ec6d8a28fa7dafdde8836c26e4e6e5e9f7b36c0acd568a00b47a33fcb6392c392a399a35d74bc5be007dd6eb45a484fc3d88e983bba6345cc

Download Submit
C:\Windows\SysWOW64\Pmoiqneg.exe

Filesize
64KB

MD5
3e0cf126006c2d903c90bb7dbe4671a1

SHA1
108814d43b20429f7d63b12bc3f2ab3f278ed165

SHA256
0def8f4190ea81b71a1fcad395794d7b53b11097d25f677c4aa5129734339947

SHA512
24705406a2fab3cbe342eca1ba1d741f0368f7e6c0e54b3b06e19620f4f39334711e6bfcda3a4da3348835911f69a2f013676d6563e5cdd039ba3139c0452e3e

Download Submit
memory/116-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/372-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/412-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-390-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/832-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/964-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/964-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/964-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/996-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1260-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-366-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-397-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-306-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1824-433-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1908-409-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1984-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2468-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-384-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3304-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3368-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3404-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3460-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3492-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3856-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3920-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3932-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3944-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4004-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4064-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4116-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4132-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4256-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4280-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4312-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4332-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4392-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-427-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4456-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4488-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4612-4457-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4438-0x0000022CD2540000-0x0000022CD2550000-memory.dmp

Filesize
64KB

Download
memory/4612-4464-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4488-0x0000022CDA8C0000-0x0000022CDA8C1000-memory.dmp

Filesize
4KB

Download
memory/4612-4489-0x0000022CDA8C0000-0x0000022CDA8C1000-memory.dmp

Filesize
4KB

Download
memory/4612-4490-0x0000022CDA9D0000-0x0000022CDA9D1000-memory.dmp

Filesize
4KB

Download
memory/4612-4486-0x0000022CDA8B0000-0x0000022CDA8B1000-memory.dmp

Filesize
4KB

Download
memory/4612-4474-0x0000022CDA6B0000-0x0000022CDA6B1000-memory.dmp

Filesize
4KB

Download
memory/4612-4471-0x0000022CDA770000-0x0000022CDA771000-memory.dmp

Filesize
4KB

Download
memory/4612-4463-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4468-0x0000022CDA780000-0x0000022CDA781000-memory.dmp

Filesize
4KB

Download
memory/4612-4462-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4422-0x0000022CD2440000-0x0000022CD2450000-memory.dmp

Filesize
64KB

Download
memory/4612-4465-0x0000022CDA780000-0x0000022CDA781000-memory.dmp

Filesize
4KB

Download
memory/4612-4454-0x0000022CDAB30000-0x0000022CDAB31000-memory.dmp

Filesize
4KB

Download
memory/4612-4455-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4456-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4466-0x0000022CDA770000-0x0000022CDA771000-memory.dmp

Filesize
4KB

Download
memory/4612-4458-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4459-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4460-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4612-4461-0x0000022CDAB60000-0x0000022CDAB61000-memory.dmp

Filesize
4KB

Download
memory/4708-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4712-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4756-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4796-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4812-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4872-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4948-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4980-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/8788-2147-0x0000000076DD0000-0x0000000076EAC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads