njrat | d03de2770b4988d9c628c99ed2732fa0b7b7afc3a12628640abd2319d4627bed

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4de71b3d77b424c916316a993a1c1251_JC.exe
Size

337KB
MD5

4de71b3d77b424c916316a993a1c1251
SHA1

14e32081d20f56d127047677bed47483b3ab6b3d
SHA256

d03de2770b4988d9c628c99ed2732fa0b7b7afc3a12628640abd2319d4627bed
SHA512

876b60d15def5a8233f2b2b7db2a71b1026169ca411534d211b114161eab3e6be25a32663781c7624e3c0a97dabe31451b6c5424ead9cbc00e517eaaa38dacb0
SSDEEP

3072:jtwhCqPOXzWiYbNgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:jt+CqPOiPN1+fIyG5jZkCwi8r

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbapom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecccmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnblmnfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpeejfjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dehnpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjofambd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mejnlpai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidbgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gigaka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfchjddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjoadbbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpnfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knhkkfod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpckjfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fibojhim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opgciodi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcpffk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iandjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmcnbdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljijci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmcfkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfieagka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbihmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imnoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edcgnmml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdfpmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foakpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akipic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haclio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnkflo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohgdhfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggmnmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Almifk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imabnofj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opiidhoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ainfpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epgpajdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knjhae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alfcflfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adjnaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olidijjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okchnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icqmncof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cknbkpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flhoinbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnlenp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lennpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnmpbec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pldcdhpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eidlnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmfpgmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhpba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmjkka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epgpajdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adjjeieh.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
4184	Cfadkb32.exe
4772	Cgqqdeod.exe
3812	Caienjfd.exe
5056	Cffmfadl.exe
4392	Dgejpd32.exe
2896	Dannij32.exe
1980	Dpckjfgg.exe
5008	Dpehof32.exe
4940	Dhomfc32.exe
664	Eaindh32.exe
1248	Eangpgcl.exe
5048	Eaqdegaj.exe
3184	Filiii32.exe
3844	Fhmigagd.exe
1292	Fdcjlb32.exe
4412	Fmlneg32.exe
3236	Fibojhim.exe
3648	Fdhcgaic.exe
1876	Fielph32.exe
5084	Gigheh32.exe
3832	Gkiaej32.exe
3380	Gpfjma32.exe
3068	Gklnjj32.exe
4360	Ghpocngo.exe
4812	Gnlgleef.exe
2216	Gdfoio32.exe
1392	Hnodaecc.exe
3356	Hkbdki32.exe
1564	Hdkidohn.exe
4520	Hdmein32.exe
4748	Haafcb32.exe
4652	Hnhghcki.exe
1944	Ihnkel32.exe
1712	Ijogmdqm.exe
2708	Ihphkl32.exe
2952	Ihdafkdg.exe
3884	Ijhjcchb.exe
3448	Ibobdqid.exe
1824	Jjjghcfp.exe
4416	Jgogbgei.exe
1052	Jjmcnbdm.exe
2140	Jqiipljg.exe
4364	Jkomneim.exe
3276	Jqlefl32.exe
4300	Jjdjoane.exe
3992	Kiejmi32.exe
5024	Kelkaj32.exe
1912	Kjhcjq32.exe
4616	Kenggi32.exe
1352	Keqdmihc.exe
4580	Lelchgne.exe
4984	Ljilqnlm.exe
4536	Lijlof32.exe
4164	Mlkepaam.exe
4380	Mecjif32.exe
3280	Mnlnbl32.exe
1672	Mjbogmdb.exe
3912	Micoed32.exe
1332	Mjellmbp.exe
3480	Maodigil.exe
3012	Mifljdjo.exe
1660	Nhkikq32.exe
2672	Nacmdf32.exe
2204	Nklbmllg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ebhglj32.exe	Epikpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmiijjcf.exe	Pfoamp32.exe
File created	C:\Windows\SysWOW64\Bckkca32.exe	Bfgjjm32.exe
File created	C:\Windows\SysWOW64\Cofecami.exe	Cmhigf32.exe
File created	C:\Windows\SysWOW64\Fmpbqoqg.dll	Ciafbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmflbf32.exe	Cfldelik.exe
File created	C:\Windows\SysWOW64\Bccbakce.dll	Fjohde32.exe
File created	C:\Windows\SysWOW64\Fmnfcojj.dll	Fckaeioa.exe
File opened for modification	C:\Windows\SysWOW64\Ebagdddp.exe	Eldbbjof.exe
File created	C:\Windows\SysWOW64\Ghpblhco.dll	Pmpmnb32.exe
File opened for modification	C:\Windows\SysWOW64\Khmoionj.exe	Kpfggang.exe
File created	C:\Windows\SysWOW64\Eaindh32.exe	Dhomfc32.exe
File created	C:\Windows\SysWOW64\Ejchhgid.exe	Eblpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	Nnafno32.exe
File opened for modification	C:\Windows\SysWOW64\Fdjnolfd.exe	Fjeibc32.exe
File opened for modification	C:\Windows\SysWOW64\Ogcike32.exe	Oeamcmmo.exe
File opened for modification	C:\Windows\SysWOW64\Kphdma32.exe	Knjhae32.exe
File opened for modification	C:\Windows\SysWOW64\Fbjjkble.exe	Fibfbm32.exe
File created	C:\Windows\SysWOW64\Fhjoilop.exe	Fnbjpf32.exe
File created	C:\Windows\SysWOW64\Pabojh32.dll	Kaaaak32.exe
File created	C:\Windows\SysWOW64\Bnhpfjhc.dll	Oohgdhfn.exe
File created	C:\Windows\SysWOW64\Olaqbelh.dll	Cmhigf32.exe
File created	C:\Windows\SysWOW64\Debalegc.dll	Knkcmild.exe
File opened for modification	C:\Windows\SysWOW64\Gqokekph.exe	Gnanioad.exe
File created	C:\Windows\SysWOW64\Gdbpil32.dll	Cfadkb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfldelik.exe	Bckkca32.exe
File created	C:\Windows\SysWOW64\Dgfdojfm.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Fibmebpm.dll	Kccbjq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfngcdhi.exe	Dngobghg.exe
File created	C:\Windows\SysWOW64\Eldbbjof.exe	Eekjep32.exe
File created	C:\Windows\SysWOW64\Bnclamqe.exe	Bgicdc32.exe
File created	C:\Windows\SysWOW64\Cfadkb32.exe	4de71b3d77b424c916316a993a1c1251_JC.exe
File created	C:\Windows\SysWOW64\Hnjjdmoc.dll	Ihphkl32.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Qigfbqjk.dll	Bcinie32.exe
File created	C:\Windows\SysWOW64\Qpdhhmkg.dll	Gcngafol.exe
File created	C:\Windows\SysWOW64\Hqimlihn.exe	Hfamia32.exe
File created	C:\Windows\SysWOW64\Lmlpjdgo.exe	Lfbgmj32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Caienjfd.exe	Cgqqdeod.exe
File created	C:\Windows\SysWOW64\Bjpjel32.exe	Bokehc32.exe
File created	C:\Windows\SysWOW64\Kofmfi32.dll	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Ghmpmgdc.dll	Jjmcnbdm.exe
File created	C:\Windows\SysWOW64\Dqgjoenq.exe	Djmbbk32.exe
File created	C:\Windows\SysWOW64\Hhcecm32.dll	Cgmfel32.exe
File opened for modification	C:\Windows\SysWOW64\Ihhmgaqb.exe	Iandjg32.exe
File opened for modification	C:\Windows\SysWOW64\Fibfbm32.exe	Fgcjea32.exe
File opened for modification	C:\Windows\SysWOW64\Nfchjddj.exe	Nfnooe32.exe
File created	C:\Windows\SysWOW64\Dhpobmqh.dll	Hjimaole.exe
File created	C:\Windows\SysWOW64\Dhmgfm32.exe	Deokja32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjiao32.exe	Bemqih32.exe
File created	C:\Windows\SysWOW64\Keghocao.exe	Kffhakjp.exe
File opened for modification	C:\Windows\SysWOW64\Pbifol32.exe	Pfbfjk32.exe
File created	C:\Windows\SysWOW64\Kejeebpl.exe	Kmbmdeoj.exe
File opened for modification	C:\Windows\SysWOW64\Opgciodi.exe	Omigmc32.exe
File created	C:\Windows\SysWOW64\Dkkqnnfc.dll	Dqbadf32.exe
File created	C:\Windows\SysWOW64\Jqiipljg.exe	Jjmcnbdm.exe
File created	C:\Windows\SysWOW64\Oeddnh32.dll	Gfkbde32.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Ebagdddp.exe	Eldbbjof.exe
File opened for modification	C:\Windows\SysWOW64\Pghaghfn.exe	Pdjeklfj.exe
File opened for modification	C:\Windows\SysWOW64\Mifljdjo.exe	Maodigil.exe
File created	C:\Windows\SysWOW64\Leedqa32.exe	Lhadgmge.exe
File created	C:\Windows\SysWOW64\Aobgiafa.dll	Dhbqalle.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khbhdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijcaaibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenapa32.dll"	Eeddfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndnocba.dll"	Fpnfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmfel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljijci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcepbooa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmbnfcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpobmqh.dll"	Hjimaole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allpejfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leqkeajd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nicbpf32.dll"	Almifk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkadoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eipilmgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcoaock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impldi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eclmamod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnjhhpgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfefdpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpoo32.dll"	Djnhne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbifol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neafjdkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll"	Ejchhgid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkecidg.dll"	Ffobhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll"	Gbmingjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmoglij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfanflne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joljlakk.dll"	Ijpcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmflc32.dll"	Ijogmdqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diccgfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dblgpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmgmhgig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mecjif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fideeaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdlbpldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cqfahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjflblll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpjb32.dll"	Hknmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdkidohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agckiqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	Adjjeieh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfanflne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bipcei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfjpgfm.dll"	Eangpgcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjbogmdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plimpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhadgmge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Foakpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alfcflfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmndkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpmdabfb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4184	3228	4de71b3d77b424c916316a993a1c1251_JC.exe	86
PID 3228 wrote to memory of 4184	3228	4de71b3d77b424c916316a993a1c1251_JC.exe	86
PID 3228 wrote to memory of 4184	3228	4de71b3d77b424c916316a993a1c1251_JC.exe	86
PID 4184 wrote to memory of 4772	4184	Cfadkb32.exe	85
PID 4184 wrote to memory of 4772	4184	Cfadkb32.exe	85
PID 4184 wrote to memory of 4772	4184	Cfadkb32.exe	85
PID 4772 wrote to memory of 3812	4772	Cgqqdeod.exe	87
PID 4772 wrote to memory of 3812	4772	Cgqqdeod.exe	87
PID 4772 wrote to memory of 3812	4772	Cgqqdeod.exe	87
PID 3812 wrote to memory of 5056	3812	Caienjfd.exe	88
PID 3812 wrote to memory of 5056	3812	Caienjfd.exe	88
PID 3812 wrote to memory of 5056	3812	Caienjfd.exe	88
PID 5056 wrote to memory of 4392	5056	Cffmfadl.exe	89
PID 5056 wrote to memory of 4392	5056	Cffmfadl.exe	89
PID 5056 wrote to memory of 4392	5056	Cffmfadl.exe	89
PID 4392 wrote to memory of 2896	4392	Dgejpd32.exe	90
PID 4392 wrote to memory of 2896	4392	Dgejpd32.exe	90
PID 4392 wrote to memory of 2896	4392	Dgejpd32.exe	90
PID 2896 wrote to memory of 1980	2896	Dannij32.exe	91
PID 2896 wrote to memory of 1980	2896	Dannij32.exe	91
PID 2896 wrote to memory of 1980	2896	Dannij32.exe	91
PID 1980 wrote to memory of 5008	1980	Dpckjfgg.exe	93
PID 1980 wrote to memory of 5008	1980	Dpckjfgg.exe	93
PID 1980 wrote to memory of 5008	1980	Dpckjfgg.exe	93
PID 5008 wrote to memory of 4940	5008	Dpehof32.exe	94
PID 5008 wrote to memory of 4940	5008	Dpehof32.exe	94
PID 5008 wrote to memory of 4940	5008	Dpehof32.exe	94
PID 4940 wrote to memory of 664	4940	Dhomfc32.exe	95
PID 4940 wrote to memory of 664	4940	Dhomfc32.exe	95
PID 4940 wrote to memory of 664	4940	Dhomfc32.exe	95
PID 664 wrote to memory of 1248	664	Eaindh32.exe	96
PID 664 wrote to memory of 1248	664	Eaindh32.exe	96
PID 664 wrote to memory of 1248	664	Eaindh32.exe	96
PID 1248 wrote to memory of 5048	1248	Eangpgcl.exe	97
PID 1248 wrote to memory of 5048	1248	Eangpgcl.exe	97
PID 1248 wrote to memory of 5048	1248	Eangpgcl.exe	97
PID 5048 wrote to memory of 3184	5048	Eaqdegaj.exe	98
PID 5048 wrote to memory of 3184	5048	Eaqdegaj.exe	98
PID 5048 wrote to memory of 3184	5048	Eaqdegaj.exe	98
PID 3184 wrote to memory of 3844	3184	Filiii32.exe	99
PID 3184 wrote to memory of 3844	3184	Filiii32.exe	99
PID 3184 wrote to memory of 3844	3184	Filiii32.exe	99
PID 3844 wrote to memory of 1292	3844	Fhmigagd.exe	100
PID 3844 wrote to memory of 1292	3844	Fhmigagd.exe	100
PID 3844 wrote to memory of 1292	3844	Fhmigagd.exe	100
PID 1292 wrote to memory of 4412	1292	Fdcjlb32.exe	101
PID 1292 wrote to memory of 4412	1292	Fdcjlb32.exe	101
PID 1292 wrote to memory of 4412	1292	Fdcjlb32.exe	101
PID 4412 wrote to memory of 3236	4412	Fmlneg32.exe	102
PID 4412 wrote to memory of 3236	4412	Fmlneg32.exe	102
PID 4412 wrote to memory of 3236	4412	Fmlneg32.exe	102
PID 3236 wrote to memory of 3648	3236	Fibojhim.exe	104
PID 3236 wrote to memory of 3648	3236	Fibojhim.exe	104
PID 3236 wrote to memory of 3648	3236	Fibojhim.exe	104
PID 3648 wrote to memory of 1876	3648	Fdhcgaic.exe	103
PID 3648 wrote to memory of 1876	3648	Fdhcgaic.exe	103
PID 3648 wrote to memory of 1876	3648	Fdhcgaic.exe	103
PID 1876 wrote to memory of 5084	1876	Fielph32.exe	105
PID 1876 wrote to memory of 5084	1876	Fielph32.exe	105
PID 1876 wrote to memory of 5084	1876	Fielph32.exe	105
PID 5084 wrote to memory of 3832	5084	Gigheh32.exe	106
PID 5084 wrote to memory of 3832	5084	Gigheh32.exe	106
PID 5084 wrote to memory of 3832	5084	Gigheh32.exe	106
PID 3832 wrote to memory of 3380	3832	Gkiaej32.exe	107

C:\Users\Admin\AppData\Local\Temp\4de71b3d77b424c916316a993a1c1251_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4de71b3d77b424c916316a993a1c1251_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Cfadkb32.exe
  C:\Windows\system32\Cfadkb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4184

C:\Windows\SysWOW64\Cgqqdeod.exe
C:\Windows\system32\Cgqqdeod.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\Caienjfd.exe
  C:\Windows\system32\Caienjfd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\Cffmfadl.exe
    C:\Windows\system32\Cffmfadl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\Dgejpd32.exe
      C:\Windows\system32\Dgejpd32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Dpckjfgg.exe
        
        C:\Windows\system32\Dpckjfgg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhomfc32.exe
        
        C:\Windows\system32\Dhomfc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Eaindh32.exe
        
        C:\Windows\system32\Eaindh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Eangpgcl.exe
        
        C:\Windows\system32\Eangpgcl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Eaqdegaj.exe
        
        C:\Windows\system32\Eaqdegaj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Filiii32.exe
        
        C:\Windows\system32\Filiii32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Fmlneg32.exe
        
        C:\Windows\system32\Fmlneg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Fibojhim.exe
        
        C:\Windows\system32\Fibojhim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Fdhcgaic.exe
        
        C:\Windows\system32\Fdhcgaic.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648

C:\Windows\SysWOW64\Fielph32.exe
C:\Windows\system32\Fielph32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\Gigheh32.exe
  C:\Windows\system32\Gigheh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\Gkiaej32.exe
    C:\Windows\system32\Gkiaej32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\Gpfjma32.exe
      C:\Windows\system32\Gpfjma32.exe
      4⤵
      Executes dropped EXE
      PID:3380
    - - C:\Windows\SysWOW64\Gklnjj32.exe
        
        C:\Windows\system32\Gklnjj32.exe
        5⤵
        Executes dropped EXE
        
        PID:3068
      - C:\Windows\SysWOW64\Ghpocngo.exe
        
        C:\Windows\system32\Ghpocngo.exe
        6⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        7⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Gdfoio32.exe
        
        C:\Windows\system32\Gdfoio32.exe
        8⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        9⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        10⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Hdkidohn.exe
        
        C:\Windows\system32\Hdkidohn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        12⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Haafcb32.exe
        
        C:\Windows\system32\Haafcb32.exe
        13⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        14⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        15⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Ijogmdqm.exe
        
        C:\Windows\system32\Ijogmdqm.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ihdafkdg.exe
        
        C:\Windows\system32\Ihdafkdg.exe
        18⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Ijhjcchb.exe
        
        C:\Windows\system32\Ijhjcchb.exe
        19⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Ibobdqid.exe
        
        C:\Windows\system32\Ibobdqid.exe
        20⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Jjjghcfp.exe
        
        C:\Windows\system32\Jjjghcfp.exe
        21⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        22⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Jqiipljg.exe
        
        C:\Windows\system32\Jqiipljg.exe
        24⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        25⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        26⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Jjdjoane.exe
        
        C:\Windows\system32\Jjdjoane.exe
        27⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        28⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Kelkaj32.exe
        
        C:\Windows\system32\Kelkaj32.exe
        29⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Kjhcjq32.exe
        
        C:\Windows\system32\Kjhcjq32.exe
        30⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        31⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Keqdmihc.exe
        
        C:\Windows\system32\Keqdmihc.exe
        32⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Lelchgne.exe
        
        C:\Windows\system32\Lelchgne.exe
        33⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        34⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        35⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Mlkepaam.exe
        
        C:\Windows\system32\Mlkepaam.exe
        36⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Mecjif32.exe
        
        C:\Windows\system32\Mecjif32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        38⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Mjbogmdb.exe
        
        C:\Windows\system32\Mjbogmdb.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        40⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        41⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Mifljdjo.exe
        
        C:\Windows\system32\Mifljdjo.exe
        43⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Nhkikq32.exe
        
        C:\Windows\system32\Nhkikq32.exe
        44⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Nacmdf32.exe
        
        C:\Windows\system32\Nacmdf32.exe
        45⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Nklbmllg.exe
        
        C:\Windows\system32\Nklbmllg.exe
        46⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Neafjdkn.exe
        
        C:\Windows\system32\Neafjdkn.exe
        47⤵
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        48⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Neccpd32.exe
        
        C:\Windows\system32\Neccpd32.exe
        49⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        50⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        51⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4804
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        53⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        54⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        55⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        56⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        57⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        58⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        59⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Oeaoab32.exe
        
        C:\Windows\system32\Oeaoab32.exe
        61⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        62⤵
        
        PID:656
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        63⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        64⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        65⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Qepkbpak.exe
        
        C:\Windows\system32\Qepkbpak.exe
        66⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        67⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        68⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        69⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Ahcajk32.exe
        
        C:\Windows\system32\Ahcajk32.exe
        70⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        71⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        72⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Aanbhp32.exe
        
        C:\Windows\system32\Aanbhp32.exe
        73⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        74⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Acmobchj.exe
        
        C:\Windows\system32\Acmobchj.exe
        75⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        76⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        77⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Bhldpj32.exe
        
        C:\Windows\system32\Bhldpj32.exe
        78⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bcahmb32.exe
        
        C:\Windows\system32\Bcahmb32.exe
        79⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Bjlpjm32.exe
        
        C:\Windows\system32\Bjlpjm32.exe
        80⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        81⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Bhamkipi.exe
        
        C:\Windows\system32\Bhamkipi.exe
        82⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Bjpjel32.exe
        
        C:\Windows\system32\Bjpjel32.exe
        84⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        85⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Bcinna32.exe
        
        C:\Windows\system32\Bcinna32.exe
        86⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        89⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        90⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        91⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        92⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Cmhigf32.exe
        
        C:\Windows\system32\Cmhigf32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        94⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Cbeapmll.exe
        
        C:\Windows\system32\Cbeapmll.exe
        95⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        96⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        97⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Ckpbnb32.exe
        
        C:\Windows\system32\Ckpbnb32.exe
        99⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Dbjkkl32.exe
        
        C:\Windows\system32\Dbjkkl32.exe
        100⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Diccgfpd.exe
        
        C:\Windows\system32\Diccgfpd.exe
        101⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dpnkdq32.exe
        
        C:\Windows\system32\Dpnkdq32.exe
        102⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        103⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Difpmfna.exe
        
        C:\Windows\system32\Difpmfna.exe
        104⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        105⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        106⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        107⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        108⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        109⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Dlieda32.exe
        
        C:\Windows\system32\Dlieda32.exe
        110⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        111⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        112⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        113⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        114⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        115⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        117⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        118⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Elpkep32.exe
        
        C:\Windows\system32\Elpkep32.exe
        119⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        120⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Eidlnd32.exe
        
        C:\Windows\system32\Eidlnd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        122⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Eblpgjha.exe
        
        C:\Windows\system32\Eblpgjha.exe
        123⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ejchhgid.exe
        
        C:\Windows\system32\Ejchhgid.exe
        124⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        125⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        126⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Elgaeolp.exe
        
        C:\Windows\system32\Elgaeolp.exe
        127⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Fbajbi32.exe
        
        C:\Windows\system32\Fbajbi32.exe
        128⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        129⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        130⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        131⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        133⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Fbjmhh32.exe
        
        C:\Windows\system32\Fbjmhh32.exe
        134⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Fideeaco.exe
        
        C:\Windows\system32\Fideeaco.exe
        135⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        136⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        137⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Gigaka32.exe
        
        C:\Windows\system32\Gigaka32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        139⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        141⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        142⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        143⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        144⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        145⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        146⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        147⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        148⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        149⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        150⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        151⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        152⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        154⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        155⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        156⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        157⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        158⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        159⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        160⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        161⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        162⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        163⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        164⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        165⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        166⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        167⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        168⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        169⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        170⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        171⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        172⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        174⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        175⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        176⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        177⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        178⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        180⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        181⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        182⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        183⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        184⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        186⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        188⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        189⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        190⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        191⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        192⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        193⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        194⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        195⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        196⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        198⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        199⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        200⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        201⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        202⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        203⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        204⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        205⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        206⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        207⤵
        
        PID:7400

C:\Windows\SysWOW64\Ofegni32.exe
C:\Windows\system32\Ofegni32.exe
1⤵
PID:7888
- C:\Windows\SysWOW64\Ocihgnam.exe
  C:\Windows\system32\Ocihgnam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7988
- - C:\Windows\SysWOW64\Ojcpdg32.exe
    C:\Windows\system32\Ojcpdg32.exe
    3⤵
    PID:8060
  - - C:\Windows\SysWOW64\Oqmhqapg.exe
      C:\Windows\system32\Oqmhqapg.exe
      4⤵
      Modifies registry class
      PID:8116
    - - C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        5⤵
        
        PID:224
      - C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        6⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        8⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        9⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        10⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4496
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        12⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        13⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        14⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        15⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        17⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        18⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        19⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        20⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        21⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        23⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        24⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        25⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        26⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        27⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        28⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        29⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Omnqhbap.exe
        
        C:\Windows\system32\Omnqhbap.exe
        15⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Oplmdnpc.exe
        
        C:\Windows\system32\Oplmdnpc.exe
        16⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Pmpmnb32.exe
        
        C:\Windows\system32\Pmpmnb32.exe
        17⤵
        Drops file in System32 directory
        
        PID:7732
        
        C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        18⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Pdjeklfj.exe
        
        C:\Windows\system32\Pdjeklfj.exe
        19⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Pghaghfn.exe
        
        C:\Windows\system32\Pghaghfn.exe
        20⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Pignccea.exe
        
        C:\Windows\system32\Pignccea.exe
        21⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Plejoode.exe
        
        C:\Windows\system32\Plejoode.exe
        22⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Pdlbpldg.exe
        
        C:\Windows\system32\Pdlbpldg.exe
        23⤵
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Pgknlg32.exe
        
        C:\Windows\system32\Pgknlg32.exe
        24⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Piikhc32.exe
        
        C:\Windows\system32\Piikhc32.exe
        25⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Plhgdn32.exe
        
        C:\Windows\system32\Plhgdn32.exe
        26⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Pcaoahio.exe
        
        C:\Windows\system32\Pcaoahio.exe
        27⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Pgphggpe.exe
        
        C:\Windows\system32\Pgphggpe.exe
        28⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Pllppnnm.exe
        
        C:\Windows\system32\Pllppnnm.exe
        29⤵
        
        PID:4168

C:\Windows\SysWOW64\Dkpjdo32.exe
C:\Windows\system32\Dkpjdo32.exe
1⤵
PID:3732
- C:\Windows\SysWOW64\Dkbgjo32.exe
  C:\Windows\system32\Dkbgjo32.exe
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\Dalofi32.exe
    C:\Windows\system32\Dalofi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:4868
  - - C:\Windows\SysWOW64\Dgihop32.exe
      C:\Windows\system32\Dgihop32.exe
      4⤵
      PID:3828
    - - C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        6⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        7⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        9⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        10⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        11⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        12⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        13⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        14⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        15⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        16⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        17⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        18⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        19⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        20⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        21⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        22⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        23⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        24⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        25⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        26⤵
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        27⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        28⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        29⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        30⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        31⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        32⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        33⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        34⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        35⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        36⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        37⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        38⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        39⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        40⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        41⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        42⤵
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Dgfdojfm.exe
        
        C:\Windows\system32\Dgfdojfm.exe
        43⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Didqkeeq.exe
        
        C:\Windows\system32\Didqkeeq.exe
        44⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Dpoiho32.exe
        
        C:\Windows\system32\Dpoiho32.exe
        45⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Dekapfke.exe
        
        C:\Windows\system32\Dekapfke.exe
        46⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Ecoaijio.exe
        
        C:\Windows\system32\Ecoaijio.exe
        47⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Edoncm32.exe
        
        C:\Windows\system32\Edoncm32.exe
        48⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Eebgqe32.exe
        
        C:\Windows\system32\Eebgqe32.exe
        49⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Edcgnmml.exe
        
        C:\Windows\system32\Edcgnmml.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7404
        
        C:\Windows\SysWOW64\Eeddfe32.exe
        
        C:\Windows\system32\Eeddfe32.exe
        51⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Fckaeioa.exe
        
        C:\Windows\system32\Fckaeioa.exe
        52⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Fjeibc32.exe
        
        C:\Windows\system32\Fjeibc32.exe
        53⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\Fdjnolfd.exe
        
        C:\Windows\system32\Fdjnolfd.exe
        54⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Fgijkgeh.exe
        
        C:\Windows\system32\Fgijkgeh.exe
        55⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Fjgfgbek.exe
        
        C:\Windows\system32\Fjgfgbek.exe
        56⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Fpandm32.exe
        
        C:\Windows\system32\Fpandm32.exe
        57⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Fdmjdkda.exe
        
        C:\Windows\system32\Fdmjdkda.exe
        58⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ffnglc32.exe
        
        C:\Windows\system32\Ffnglc32.exe
        59⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Flhoinbl.exe
        
        C:\Windows\system32\Flhoinbl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Fdogjk32.exe
        
        C:\Windows\system32\Fdogjk32.exe
        61⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Fgncff32.exe
        
        C:\Windows\system32\Fgncff32.exe
        62⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Fjlpbb32.exe
        
        C:\Windows\system32\Fjlpbb32.exe
        63⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Fpfholhc.exe
        
        C:\Windows\system32\Fpfholhc.exe
        64⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Fcddkggf.exe
        
        C:\Windows\system32\Fcddkggf.exe
        65⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ffcpgcfj.exe
        
        C:\Windows\system32\Ffcpgcfj.exe
        66⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Gnjhhpgl.exe
        
        C:\Windows\system32\Gnjhhpgl.exe
        67⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Gfemmb32.exe
        
        C:\Windows\system32\Gfemmb32.exe
        68⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Gnlenp32.exe
        
        C:\Windows\system32\Gnlenp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3432
        
        C:\Windows\SysWOW64\Gdfmkjlg.exe
        
        C:\Windows\system32\Gdfmkjlg.exe
        70⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Ggdigekj.exe
        
        C:\Windows\system32\Ggdigekj.exe
        71⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Gnoacp32.exe
        
        C:\Windows\system32\Gnoacp32.exe
        72⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Gdhjpjjd.exe
        
        C:\Windows\system32\Gdhjpjjd.exe
        73⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        74⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Gnanioad.exe
        
        C:\Windows\system32\Gnanioad.exe
        75⤵
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Gqokekph.exe
        
        C:\Windows\system32\Gqokekph.exe
        76⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        77⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Gflcnanp.exe
        
        C:\Windows\system32\Gflcnanp.exe
        78⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Gmfkjl32.exe
        
        C:\Windows\system32\Gmfkjl32.exe
        79⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Hfamia32.exe
        
        C:\Windows\system32\Hfamia32.exe
        80⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Hqimlihn.exe
        
        C:\Windows\system32\Hqimlihn.exe
        81⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Hfefdpfe.exe
        
        C:\Windows\system32\Hfefdpfe.exe
        82⤵
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Hclccd32.exe
        
        C:\Windows\system32\Hclccd32.exe
        83⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Ifjoop32.exe
        
        C:\Windows\system32\Ifjoop32.exe
        84⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Icqmncof.exe
        
        C:\Windows\system32\Icqmncof.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Jcjodbgl.exe
        
        C:\Windows\system32\Jcjodbgl.exe
        86⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Jjdgal32.exe
        
        C:\Windows\system32\Jjdgal32.exe
        87⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Jnapgjdo.exe
        
        C:\Windows\system32\Jnapgjdo.exe
        88⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Jcoioabf.exe
        
        C:\Windows\system32\Jcoioabf.exe
        89⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Jjhalkjc.exe
        
        C:\Windows\system32\Jjhalkjc.exe
        90⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Jmgmhgig.exe
        
        C:\Windows\system32\Jmgmhgig.exe
        91⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        92⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Jfoaam32.exe
        
        C:\Windows\system32\Jfoaam32.exe
        93⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        94⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Kccbjq32.exe
        
        C:\Windows\system32\Kccbjq32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Kfanflne.exe
        
        C:\Windows\system32\Kfanflne.exe
        96⤵
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Kmlgcf32.exe
        
        C:\Windows\system32\Kmlgcf32.exe
        97⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Kebodc32.exe
        
        C:\Windows\system32\Kebodc32.exe
        98⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Kfdklllb.exe
        
        C:\Windows\system32\Kfdklllb.exe
        99⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Knkcmild.exe
        
        C:\Windows\system32\Knkcmild.exe
        100⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        101⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Kdhlepkl.exe
        
        C:\Windows\system32\Kdhlepkl.exe
        102⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kffhakjp.exe
        
        C:\Windows\system32\Kffhakjp.exe
        103⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Keghocao.exe
        
        C:\Windows\system32\Keghocao.exe
        104⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        105⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Kjdqhjpf.exe
        
        C:\Windows\system32\Kjdqhjpf.exe
        106⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Kmbmdeoj.exe
        
        C:\Windows\system32\Kmbmdeoj.exe
        107⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Kejeebpl.exe
        
        C:\Windows\system32\Kejeebpl.exe
        108⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        109⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Knbinhfl.exe
        
        C:\Windows\system32\Knbinhfl.exe
        110⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lelajb32.exe
        
        C:\Windows\system32\Lelajb32.exe
        111⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Lhjnfn32.exe
        
        C:\Windows\system32\Lhjnfn32.exe
        112⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Ljijci32.exe
        
        C:\Windows\system32\Ljijci32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Lennpb32.exe
        
        C:\Windows\system32\Lennpb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3864
        
        C:\Windows\SysWOW64\Lhmjlm32.exe
        
        C:\Windows\system32\Lhmjlm32.exe
        115⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Logbigbg.exe
        
        C:\Windows\system32\Logbigbg.exe
        116⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Leqkeajd.exe
        
        C:\Windows\system32\Leqkeajd.exe
        117⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Lfbgmj32.exe
        
        C:\Windows\system32\Lfbgmj32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Lmlpjdgo.exe
        
        C:\Windows\system32\Lmlpjdgo.exe
        119⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Lhadgmge.exe
        
        C:\Windows\system32\Lhadgmge.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Leedqa32.exe
        
        C:\Windows\system32\Leedqa32.exe
        121⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Lkbmih32.exe
        
        C:\Windows\system32\Lkbmih32.exe
        122⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Lmqiec32.exe
        
        C:\Windows\system32\Lmqiec32.exe
        123⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Mhfmbl32.exe
        
        C:\Windows\system32\Mhfmbl32.exe
        124⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Mmcfkc32.exe
        
        C:\Windows\system32\Mmcfkc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Mejnlpai.exe
        
        C:\Windows\system32\Mejnlpai.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        127⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Mobbdf32.exe
        
        C:\Windows\system32\Mobbdf32.exe
        128⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mhkgnkoj.exe
        
        C:\Windows\system32\Mhkgnkoj.exe
        129⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Mhppik32.exe
        
        C:\Windows\system32\Mhppik32.exe
        130⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Moiheebb.exe
        
        C:\Windows\system32\Moiheebb.exe
        131⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Necqbo32.exe
        
        C:\Windows\system32\Necqbo32.exe
        132⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        133⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Nnoefagj.exe
        
        C:\Windows\system32\Nnoefagj.exe
        134⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Nggjog32.exe
        
        C:\Windows\system32\Nggjog32.exe
        135⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nnabladg.exe
        
        C:\Windows\system32\Nnabladg.exe
        136⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Ngifef32.exe
        
        C:\Windows\system32\Ngifef32.exe
        137⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Nglcjfie.exe
        
        C:\Windows\system32\Nglcjfie.exe
        138⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ndpcdjho.exe
        
        C:\Windows\system32\Ndpcdjho.exe
        139⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Odbpij32.exe
        
        C:\Windows\system32\Odbpij32.exe
        140⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ogqmee32.exe
        
        C:\Windows\system32\Ogqmee32.exe
        141⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Onjebpml.exe
        
        C:\Windows\system32\Onjebpml.exe
        142⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        143⤵
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Ogcike32.exe
        
        C:\Windows\system32\Ogcike32.exe
        144⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Oolnabal.exe
        
        C:\Windows\system32\Oolnabal.exe
        145⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Oeffnl32.exe
        
        C:\Windows\system32\Oeffnl32.exe
        146⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Okcogc32.exe
        
        C:\Windows\system32\Okcogc32.exe
        147⤵
        
        PID:2532

C:\Windows\SysWOW64\Ofhcdlgg.exe
C:\Windows\system32\Ofhcdlgg.exe
1⤵
PID:3748
- C:\Windows\SysWOW64\Pndhhnda.exe
  C:\Windows\system32\Pndhhnda.exe
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\Pdnpeh32.exe
    C:\Windows\system32\Pdnpeh32.exe
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\Pkhhbbck.exe
      C:\Windows\system32\Pkhhbbck.exe
      4⤵
      PID:5152
    - - C:\Windows\SysWOW64\Pbapom32.exe
        
        C:\Windows\system32\Pbapom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:408
      - C:\Windows\SysWOW64\Pdpmkhjl.exe
        
        C:\Windows\system32\Pdpmkhjl.exe
        6⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        7⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Pgaelcgm.exe
        
        C:\Windows\system32\Pgaelcgm.exe
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Pfbfjk32.exe
        
        C:\Windows\system32\Pfbfjk32.exe
        10⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Pbifol32.exe
        
        C:\Windows\system32\Pbifol32.exe
        11⤵
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Qkakhakq.exe
        
        C:\Windows\system32\Qkakhakq.exe
        12⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Qfilkj32.exe
        
        C:\Windows\system32\Qfilkj32.exe
        13⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Qhghge32.exe
        
        C:\Windows\system32\Qhghge32.exe
        14⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        15⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Agmehamp.exe
        
        C:\Windows\system32\Agmehamp.exe
        16⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Aocmio32.exe
        
        C:\Windows\system32\Aocmio32.exe
        17⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Agobna32.exe
        
        C:\Windows\system32\Agobna32.exe
        18⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Abdfkj32.exe
        
        C:\Windows\system32\Abdfkj32.exe
        19⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Ainnhdbp.exe
        
        C:\Windows\system32\Ainnhdbp.exe
        20⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        21⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Aohfdnil.exe
        
        C:\Windows\system32\Aohfdnil.exe
        22⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Afboah32.exe
        
        C:\Windows\system32\Afboah32.exe
        23⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Agckiqgg.exe
        
        C:\Windows\system32\Agckiqgg.exe
        24⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Aokcjngj.exe
        
        C:\Windows\system32\Aokcjngj.exe
        25⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Aeglbeea.exe
        
        C:\Windows\system32\Aeglbeea.exe
        26⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Bkadoo32.exe
        
        C:\Windows\system32\Bkadoo32.exe
        27⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        28⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Bfghlhmd.exe
        
        C:\Windows\system32\Bfghlhmd.exe
        29⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Bkdqdokk.exe
        
        C:\Windows\system32\Bkdqdokk.exe
        30⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Bnbmqjjo.exe
        
        C:\Windows\system32\Bnbmqjjo.exe
        31⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bfieagka.exe
        
        C:\Windows\system32\Bfieagka.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        33⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Bpaikm32.exe
        
        C:\Windows\system32\Bpaikm32.exe
        34⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Bflagg32.exe
        
        C:\Windows\system32\Bflagg32.exe
        35⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Bijncb32.exe
        
        C:\Windows\system32\Bijncb32.exe
        36⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Bpdfpmoo.exe
        
        C:\Windows\system32\Bpdfpmoo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Bfnnmg32.exe
        
        C:\Windows\system32\Bfnnmg32.exe
        38⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Biljib32.exe
        
        C:\Windows\system32\Biljib32.exe
        39⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        40⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        41⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Cgagjo32.exe
        
        C:\Windows\system32\Cgagjo32.exe
        42⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Cnlpgibd.exe
        
        C:\Windows\system32\Cnlpgibd.exe
        43⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Ceehcc32.exe
        
        C:\Windows\system32\Ceehcc32.exe
        44⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Chddpn32.exe
        
        C:\Windows\system32\Chddpn32.exe
        45⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Cbihmg32.exe
        
        C:\Windows\system32\Cbihmg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7724
        
        C:\Windows\SysWOW64\Cblebgfh.exe
        
        C:\Windows\system32\Cblebgfh.exe
        47⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Cifmoa32.exe
        
        C:\Windows\system32\Cifmoa32.exe
        48⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Cppelkeb.exe
        
        C:\Windows\system32\Cppelkeb.exe
        49⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        50⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        51⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Clffalkf.exe
        
        C:\Windows\system32\Clffalkf.exe
        52⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        53⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Deokja32.exe
        
        C:\Windows\system32\Deokja32.exe
        54⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Dhmgfm32.exe
        
        C:\Windows\system32\Dhmgfm32.exe
        55⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Dngobghg.exe
        
        C:\Windows\system32\Dngobghg.exe
        56⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Dfngcdhi.exe
        
        C:\Windows\system32\Dfngcdhi.exe
        57⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Dhbqalle.exe
        
        C:\Windows\system32\Dhbqalle.exe
        58⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Dpihbjmg.exe
        
        C:\Windows\system32\Dpihbjmg.exe
        59⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Dbgdnelk.exe
        
        C:\Windows\system32\Dbgdnelk.exe
        60⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dhdmfljb.exe
        
        C:\Windows\system32\Dhdmfljb.exe
        61⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Donecfao.exe
        
        C:\Windows\system32\Donecfao.exe
        62⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Dehnpp32.exe
        
        C:\Windows\system32\Dehnpp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7564
        
        C:\Windows\SysWOW64\Doqbifpl.exe
        
        C:\Windows\system32\Doqbifpl.exe
        64⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Eekjep32.exe
        
        C:\Windows\system32\Eekjep32.exe
        65⤵
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\Eldbbjof.exe
        
        C:\Windows\system32\Eldbbjof.exe
        66⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        67⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Eikpan32.exe
        
        C:\Windows\system32\Eikpan32.exe
        68⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Epehnhbj.exe
        
        C:\Windows\system32\Epehnhbj.exe
        69⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Ebcdjc32.exe
        
        C:\Windows\system32\Ebcdjc32.exe
        70⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Ehpmbj32.exe
        
        C:\Windows\system32\Ehpmbj32.exe
        71⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Epgdch32.exe
        
        C:\Windows\system32\Epgdch32.exe
        72⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        73⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Eipilmgh.exe
        
        C:\Windows\system32\Eipilmgh.exe
        74⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Fibfbm32.exe
        
        C:\Windows\system32\Fibfbm32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Fbjjkble.exe
        
        C:\Windows\system32\Fbjjkble.exe
        77⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Fidbgm32.exe
        
        C:\Windows\system32\Fidbgm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Foakpc32.exe
        
        C:\Windows\system32\Foakpc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Fekclnif.exe
        
        C:\Windows\system32\Fekclnif.exe
        80⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Flekihpc.exe
        
        C:\Windows\system32\Flekihpc.exe
        81⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Fcodfa32.exe
        
        C:\Windows\system32\Fcodfa32.exe
        82⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Ikcmmjkb.exe
        
        C:\Windows\system32\Ikcmmjkb.exe
        83⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Opefdo32.exe
        
        C:\Windows\system32\Opefdo32.exe
        84⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Omigmc32.exe
        
        C:\Windows\system32\Omigmc32.exe
        85⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Opgciodi.exe
        
        C:\Windows\system32\Opgciodi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Ofalfi32.exe
        
        C:\Windows\system32\Ofalfi32.exe
        87⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Odelpm32.exe
        
        C:\Windows\system32\Odelpm32.exe
        88⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Okodlgbl.exe
        
        C:\Windows\system32\Okodlgbl.exe
        89⤵
        
        PID:2216

C:\Windows\SysWOW64\Qkmqne32.exe
C:\Windows\system32\Qkmqne32.exe
1⤵
PID:2204
- C:\Windows\SysWOW64\Qgdabflp.exe
  C:\Windows\system32\Qgdabflp.exe
  2⤵
  PID:7684
- - C:\Windows\SysWOW64\Qnniopcm.exe
    C:\Windows\system32\Qnniopcm.exe
    3⤵
    PID:7556
  - - C:\Windows\SysWOW64\Akbjidbf.exe
      C:\Windows\system32\Akbjidbf.exe
      4⤵
      PID:3880
    - - C:\Windows\SysWOW64\Adjnaj32.exe
        
        C:\Windows\system32\Adjnaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4680
      - C:\Windows\SysWOW64\Agikne32.exe
        
        C:\Windows\system32\Agikne32.exe
        6⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Alfcflfb.exe
        
        C:\Windows\system32\Alfcflfb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Ajjcoqdl.exe
        
        C:\Windows\system32\Ajjcoqdl.exe
        8⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Alhpkldp.exe
        
        C:\Windows\system32\Alhpkldp.exe
        9⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Adohmidb.exe
        
        C:\Windows\system32\Adohmidb.exe
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Agndidce.exe
        
        C:\Windows\system32\Agndidce.exe
        11⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Akipic32.exe
        
        C:\Windows\system32\Akipic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:640
        
        C:\Windows\SysWOW64\Angleokb.exe
        
        C:\Windows\system32\Angleokb.exe
        13⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Agpqnd32.exe
        
        C:\Windows\system32\Agpqnd32.exe
        14⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Ajnmjp32.exe
        
        C:\Windows\system32\Ajnmjp32.exe
        15⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Almifk32.exe
        
        C:\Windows\system32\Almifk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Addahh32.exe
        
        C:\Windows\system32\Addahh32.exe
        17⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Bnlfqngm.exe
        
        C:\Windows\system32\Bnlfqngm.exe
        18⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Bcinie32.exe
        
        C:\Windows\system32\Bcinie32.exe
        19⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Bjcfeola.exe
        
        C:\Windows\system32\Bjcfeola.exe
        20⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Blabakle.exe
        
        C:\Windows\system32\Blabakle.exe
        21⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Bdhkchlg.exe
        
        C:\Windows\system32\Bdhkchlg.exe
        22⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Bgggockk.exe
        
        C:\Windows\system32\Bgggockk.exe
        23⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Bnaolm32.exe
        
        C:\Windows\system32\Bnaolm32.exe
        24⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Bqokhi32.exe
        
        C:\Windows\system32\Bqokhi32.exe
        25⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Bgicdc32.exe
        
        C:\Windows\system32\Bgicdc32.exe
        26⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Bnclamqe.exe
        
        C:\Windows\system32\Bnclamqe.exe
        27⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Bqahmhpi.exe
        
        C:\Windows\system32\Bqahmhpi.exe
        28⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Bglpjb32.exe
        
        C:\Windows\system32\Bglpjb32.exe
        29⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\Bjjmfn32.exe
        
        C:\Windows\system32\Bjjmfn32.exe
        30⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Bmhibi32.exe
        
        C:\Windows\system32\Bmhibi32.exe
        31⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Bdpqcg32.exe
        
        C:\Windows\system32\Bdpqcg32.exe
        32⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Cgnmpbec.exe
        
        C:\Windows\system32\Cgnmpbec.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1056
        
        C:\Windows\SysWOW64\Cjlilndf.exe
        
        C:\Windows\system32\Cjlilndf.exe
        34⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Cqfahh32.exe
        
        C:\Windows\system32\Cqfahh32.exe
        35⤵
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ccendc32.exe
        
        C:\Windows\system32\Ccendc32.exe
        36⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Cjofambd.exe
        
        C:\Windows\system32\Cjofambd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3440
        
        C:\Windows\SysWOW64\Cknbkpif.exe
        
        C:\Windows\system32\Cknbkpif.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Cnmoglij.exe
        
        C:\Windows\system32\Cnmoglij.exe
        39⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cqkkcghn.exe
        
        C:\Windows\system32\Cqkkcghn.exe
        40⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Cjcolm32.exe
        
        C:\Windows\system32\Cjcolm32.exe
        41⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Cggpfa32.exe
        
        C:\Windows\system32\Cggpfa32.exe
        42⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Cjflblll.exe
        
        C:\Windows\system32\Cjflblll.exe
        43⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Ddkpoelb.exe
        
        C:\Windows\system32\Ddkpoelb.exe
        44⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Dkehlo32.exe
        
        C:\Windows\system32\Dkehlo32.exe
        45⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Dqbadf32.exe
        
        C:\Windows\system32\Dqbadf32.exe
        46⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Dkgeao32.exe
        
        C:\Windows\system32\Dkgeao32.exe
        47⤵
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Dqdnjfpc.exe
        
        C:\Windows\system32\Dqdnjfpc.exe
        48⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Dgnffp32.exe
        
        C:\Windows\system32\Dgnffp32.exe
        49⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Djmbbk32.exe
        
        C:\Windows\system32\Djmbbk32.exe
        50⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Dqgjoenq.exe
        
        C:\Windows\system32\Dqgjoenq.exe
        51⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Dklomnmf.exe
        
        C:\Windows\system32\Dklomnmf.exe
        52⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Dnkkij32.exe
        
        C:\Windows\system32\Dnkkij32.exe
        53⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Dedceddg.exe
        
        C:\Windows\system32\Dedceddg.exe
        54⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Dgcoaock.exe
        
        C:\Windows\system32\Dgcoaock.exe
        55⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Dnmgni32.exe
        
        C:\Windows\system32\Dnmgni32.exe
        56⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\Eakdje32.exe
        
        C:\Windows\system32\Eakdje32.exe
        57⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Ejdhcjpl.exe
        
        C:\Windows\system32\Ejdhcjpl.exe
        58⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Embdofop.exe
        
        C:\Windows\system32\Embdofop.exe
        59⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ekcemmgo.exe
        
        C:\Windows\system32\Ekcemmgo.exe
        60⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Eapmedef.exe
        
        C:\Windows\system32\Eapmedef.exe
        61⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Ejhanj32.exe
        
        C:\Windows\system32\Ejhanj32.exe
        62⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Eenflbll.exe
        
        C:\Windows\system32\Eenflbll.exe
        63⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Emikpeig.exe
        
        C:\Windows\system32\Emikpeig.exe
        64⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Ecccmo32.exe
        
        C:\Windows\system32\Ecccmo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4364
        
        C:\Windows\SysWOW64\Ejmkiiha.exe
        
        C:\Windows\system32\Ejmkiiha.exe
        66⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Fagcfc32.exe
        
        C:\Windows\system32\Fagcfc32.exe
        67⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Fcepbooa.exe
        
        C:\Windows\system32\Fcepbooa.exe
        68⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Fmndkd32.exe
        
        C:\Windows\system32\Fmndkd32.exe
        69⤵
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Flodilma.exe
        
        C:\Windows\system32\Flodilma.exe
        70⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Flaaok32.exe
        
        C:\Windows\system32\Flaaok32.exe
        71⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Fmbnfcam.exe
        
        C:\Windows\system32\Fmbnfcam.exe
        72⤵
        Modifies registry class
        
        PID:8404
        
        C:\Windows\SysWOW64\Fdmfcn32.exe
        
        C:\Windows\system32\Fdmfcn32.exe
        73⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Flcndk32.exe
        
        C:\Windows\system32\Flcndk32.exe
        74⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Fnbjpf32.exe
        
        C:\Windows\system32\Fnbjpf32.exe
        75⤵
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\Fhjoilop.exe
        
        C:\Windows\system32\Fhjoilop.exe
        76⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Fndgfffm.exe
        
        C:\Windows\system32\Fndgfffm.exe
        77⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Ghadjkhh.exe
        
        C:\Windows\system32\Ghadjkhh.exe
        78⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Gmqjga32.exe
        
        C:\Windows\system32\Gmqjga32.exe
        79⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Glajeiml.exe
        
        C:\Windows\system32\Glajeiml.exe
        80⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Hldgkiki.exe
        
        C:\Windows\system32\Hldgkiki.exe
        81⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Helkdnaj.exe
        
        C:\Windows\system32\Helkdnaj.exe
        82⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Hlfcqh32.exe
        
        C:\Windows\system32\Hlfcqh32.exe
        83⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Haclio32.exe
        
        C:\Windows\system32\Haclio32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9024
        
        C:\Windows\SysWOW64\Hknmgd32.exe
        
        C:\Windows\system32\Hknmgd32.exe
        85⤵
        Modifies registry class
        
        PID:9092
        
        C:\Windows\SysWOW64\Hahedoci.exe
        
        C:\Windows\system32\Hahedoci.exe
        86⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Hdfapjbl.exe
        
        C:\Windows\system32\Hdfapjbl.exe
        87⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Hlmiagbo.exe
        
        C:\Windows\system32\Hlmiagbo.exe
        88⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Iolfmcbb.exe
        
        C:\Windows\system32\Iolfmcbb.exe
        89⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Idinej32.exe
        
        C:\Windows\system32\Idinej32.exe
        90⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Ikbfbdgf.exe
        
        C:\Windows\system32\Ikbfbdgf.exe
        91⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8336
        
        C:\Windows\SysWOW64\Ilbclg32.exe
        
        C:\Windows\system32\Ilbclg32.exe
        93⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Ioqohb32.exe
        
        C:\Windows\system32\Ioqohb32.exe
        94⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Iejgelej.exe
        
        C:\Windows\system32\Iejgelej.exe
        95⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Iacepmik.exe
        
        C:\Windows\system32\Iacepmik.exe
        96⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Jlkfbe32.exe
        
        C:\Windows\system32\Jlkfbe32.exe
        97⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Jnmbjnlm.exe
        
        C:\Windows\system32\Jnmbjnlm.exe
        98⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Jedjkkmo.exe
        
        C:\Windows\system32\Jedjkkmo.exe
        99⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        100⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Jlnbhe32.exe
        
        C:\Windows\system32\Jlnbhe32.exe
        101⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Jnoopm32.exe
        
        C:\Windows\system32\Jnoopm32.exe
        102⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Jefgak32.exe
        
        C:\Windows\system32\Jefgak32.exe
        103⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Jhdcmf32.exe
        
        C:\Windows\system32\Jhdcmf32.exe
        104⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Jkcpia32.exe
        
        C:\Windows\system32\Jkcpia32.exe
        105⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Jnalem32.exe
        
        C:\Windows\system32\Jnalem32.exe
        106⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Jehcfj32.exe
        
        C:\Windows\system32\Jehcfj32.exe
        107⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Jhgpbf32.exe
        
        C:\Windows\system32\Jhgpbf32.exe
        108⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Joahop32.exe
        
        C:\Windows\system32\Joahop32.exe
        109⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Jdnqgg32.exe
        
        C:\Windows\system32\Jdnqgg32.exe
        110⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Koceep32.exe
        
        C:\Windows\system32\Koceep32.exe
        111⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Kaaaak32.exe
        
        C:\Windows\system32\Kaaaak32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Klgend32.exe
        
        C:\Windows\system32\Klgend32.exe
        113⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Kadnfkji.exe
        
        C:\Windows\system32\Kadnfkji.exe
        114⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Klibdcjo.exe
        
        C:\Windows\system32\Klibdcjo.exe
        115⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Knkokl32.exe
        
        C:\Windows\system32\Knkokl32.exe
        116⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Kojkeogp.exe
        
        C:\Windows\system32\Kojkeogp.exe
        117⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Komhkn32.exe
        
        C:\Windows\system32\Komhkn32.exe
        118⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Lkfeeo32.exe
        
        C:\Windows\system32\Lkfeeo32.exe
        119⤵
        
        PID:8552

C:\Windows\SysWOW64\Lmeapbpa.exe
C:\Windows\system32\Lmeapbpa.exe
1⤵
PID:7768
- C:\Windows\SysWOW64\Lmjkka32.exe
  C:\Windows\system32\Lmjkka32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3368
- - C:\Windows\SysWOW64\Mfgiof32.exe
    C:\Windows\system32\Mfgiof32.exe
    3⤵
    PID:7060
  - - C:\Windows\SysWOW64\Mkfnlmkl.exe
      C:\Windows\system32\Mkfnlmkl.exe
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\Nfnooe32.exe
        
        C:\Windows\system32\Nfnooe32.exe
        5⤵
        Drops file in System32 directory
        
        PID:5928
      - C:\Windows\SysWOW64\Nfchjddj.exe
        
        C:\Windows\system32\Nfchjddj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8868
        
        C:\Windows\SysWOW64\Nicalpak.exe
        
        C:\Windows\system32\Nicalpak.exe
        7⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Nnpjdfpb.exe
        
        C:\Windows\system32\Nnpjdfpb.exe
        8⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Nfgbec32.exe
        
        C:\Windows\system32\Nfgbec32.exe
        9⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Obqopddf.exe
        
        C:\Windows\system32\Obqopddf.exe
        10⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Olidijjf.exe
        
        C:\Windows\system32\Olidijjf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Oimdbnip.exe
        
        C:\Windows\system32\Oimdbnip.exe
        12⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Onjmjegg.exe
        
        C:\Windows\system32\Onjmjegg.exe
        13⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Oecego32.exe
        
        C:\Windows\system32\Oecego32.exe
        14⤵
        
        PID:5472

C:\Windows\SysWOW64\Opiidhoj.exe
C:\Windows\system32\Opiidhoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788
- C:\Windows\SysWOW64\Obgeqcnn.exe
  C:\Windows\system32\Obgeqcnn.exe
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\Ommjnlnd.exe
    C:\Windows\system32\Ommjnlnd.exe
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\Ponfed32.exe
      C:\Windows\system32\Ponfed32.exe
      4⤵
      PID:5256
    - - C:\Windows\SysWOW64\Pidjcm32.exe
        
        C:\Windows\system32\Pidjcm32.exe
        5⤵
        
        PID:1924
      - C:\Windows\SysWOW64\Pblolb32.exe
        
        C:\Windows\system32\Pblolb32.exe
        6⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Pifghmae.exe
        
        C:\Windows\system32\Pifghmae.exe
        7⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Pldcdhpi.exe
        
        C:\Windows\system32\Pldcdhpi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Pbokab32.exe
        
        C:\Windows\system32\Pbokab32.exe
        9⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Pmdpok32.exe
        
        C:\Windows\system32\Pmdpok32.exe
        10⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Poelfc32.exe
        
        C:\Windows\system32\Poelfc32.exe
        11⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Pikqcl32.exe
        
        C:\Windows\system32\Pikqcl32.exe
        12⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Plimpg32.exe
        
        C:\Windows\system32\Plimpg32.exe
        13⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Pohilc32.exe
        
        C:\Windows\system32\Pohilc32.exe
        14⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pfoamp32.exe
        
        C:\Windows\system32\Pfoamp32.exe
        15⤵
        Drops file in System32 directory
        
        PID:8664
        
        C:\Windows\SysWOW64\Pmiijjcf.exe
        
        C:\Windows\system32\Pmiijjcf.exe
        16⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Qbeaba32.exe
        
        C:\Windows\system32\Qbeaba32.exe
        17⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Qmkfoj32.exe
        
        C:\Windows\system32\Qmkfoj32.exe
        18⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Qbhnga32.exe
        
        C:\Windows\system32\Qbhnga32.exe
        19⤵
        
        PID:580
        
        C:\Windows\SysWOW64\Qmnbej32.exe
        
        C:\Windows\system32\Qmnbej32.exe
        20⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Affgno32.exe
        
        C:\Windows\system32\Affgno32.exe
        21⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Albpff32.exe
        
        C:\Windows\system32\Albpff32.exe
        22⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Abmhbplf.exe
        
        C:\Windows\system32\Abmhbplf.exe
        23⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Aifpoj32.exe
        
        C:\Windows\system32\Aifpoj32.exe
        24⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Algiaepd.exe
        
        C:\Windows\system32\Algiaepd.exe
        25⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Aofemaog.exe
        
        C:\Windows\system32\Aofemaog.exe
        26⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Amgekh32.exe
        
        C:\Windows\system32\Amgekh32.exe
        27⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ainfpi32.exe
        
        C:\Windows\system32\Ainfpi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Bgafin32.exe
        
        C:\Windows\system32\Bgafin32.exe
        29⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Bipcei32.exe
        
        C:\Windows\system32\Bipcei32.exe
        30⤵
        Modifies registry class
        
        PID:8196
        
        C:\Windows\SysWOW64\Bgdcom32.exe
        
        C:\Windows\system32\Bgdcom32.exe
        31⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Bnphag32.exe
        
        C:\Windows\system32\Bnphag32.exe
        32⤵
        
        PID:8272

C:\Windows\SysWOW64\Bnbeggmi.exe
C:\Windows\system32\Bnbeggmi.exe
1⤵
PID:5744
- C:\Windows\SysWOW64\Benjkijd.exe
  C:\Windows\system32\Benjkijd.exe
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\Cpcnhbjj.exe
    C:\Windows\system32\Cpcnhbjj.exe
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\Cgmfel32.exe
      C:\Windows\system32\Cgmfel32.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:5188
    - - C:\Windows\SysWOW64\Cjnoggoh.exe
        
        C:\Windows\system32\Cjnoggoh.exe
        5⤵
        
        PID:4804
      - C:\Windows\SysWOW64\Ccfcpm32.exe
        
        C:\Windows\system32\Ccfcpm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540

C:\Windows\SysWOW64\Ccipelcf.exe
C:\Windows\system32\Ccipelcf.exe
1⤵
PID:5576
- C:\Windows\SysWOW64\Cfiiggpg.exe
  C:\Windows\system32\Cfiiggpg.exe
  2⤵
  PID:820
- - C:\Windows\SysWOW64\Dflflg32.exe
    C:\Windows\system32\Dflflg32.exe
    3⤵
    PID:6652
  - - C:\Windows\SysWOW64\Dlfniafa.exe
      C:\Windows\system32\Dlfniafa.exe
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\Dcpffk32.exe
        
        C:\Windows\system32\Dcpffk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
      - C:\Windows\SysWOW64\Dnekcd32.exe
        
        C:\Windows\system32\Dnekcd32.exe
        6⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dgnolj32.exe
        
        C:\Windows\system32\Dgnolj32.exe
        7⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Djnhne32.exe
        
        C:\Windows\system32\Djnhne32.exe
        8⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Eqkmpo32.exe
        
        C:\Windows\system32\Eqkmpo32.exe
        9⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Egeemiml.exe
        
        C:\Windows\system32\Egeemiml.exe
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Ejcaidlp.exe
        
        C:\Windows\system32\Ejcaidlp.exe
        11⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Enajobbf.exe
        
        C:\Windows\system32\Enajobbf.exe
        12⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Epgpajdp.exe
        
        C:\Windows\system32\Epgpajdp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8996
        
        C:\Windows\SysWOW64\Fjldocde.exe
        
        C:\Windows\system32\Fjldocde.exe
        14⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Fpimgjbm.exe
        
        C:\Windows\system32\Fpimgjbm.exe
        15⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Fjoadbbc.exe
        
        C:\Windows\system32\Fjoadbbc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Fplimi32.exe
        
        C:\Windows\system32\Fplimi32.exe
        17⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Fjanjb32.exe
        
        C:\Windows\system32\Fjanjb32.exe
        18⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Fpnfbi32.exe
        
        C:\Windows\system32\Fpnfbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Fanbll32.exe
        
        C:\Windows\system32\Fanbll32.exe
        20⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Gmfpgmil.exe
        
        C:\Windows\system32\Gmfpgmil.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6864
        
        C:\Windows\SysWOW64\Gcceifof.exe
        
        C:\Windows\system32\Gcceifof.exe
        22⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Gpjfng32.exe
        
        C:\Windows\system32\Gpjfng32.exe
        23⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Gnkflo32.exe
        
        C:\Windows\system32\Gnkflo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Gaibhj32.exe
        
        C:\Windows\system32\Gaibhj32.exe
        25⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Gcgndf32.exe
        
        C:\Windows\system32\Gcgndf32.exe
        26⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Gffkpa32.exe
        
        C:\Windows\system32\Gffkpa32.exe
        27⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Gnmbao32.exe
        
        C:\Windows\system32\Gnmbao32.exe
        28⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Hcjkje32.exe
        
        C:\Windows\system32\Hcjkje32.exe
        29⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Hfhgfaha.exe
        
        C:\Windows\system32\Hfhgfaha.exe
        30⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Hnpognhd.exe
        
        C:\Windows\system32\Hnpognhd.exe
        31⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Hpqlof32.exe
        
        C:\Windows\system32\Hpqlof32.exe
        32⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        33⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Hnblmnfa.exe
        
        C:\Windows\system32\Hnblmnfa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Haphiiee.exe
        
        C:\Windows\system32\Haphiiee.exe
        35⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Hdodeedi.exe
        
        C:\Windows\system32\Hdodeedi.exe
        36⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Hjimaole.exe
        
        C:\Windows\system32\Hjimaole.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Hpeejfjm.exe
        
        C:\Windows\system32\Hpeejfjm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Hhmmkcko.exe
        
        C:\Windows\system32\Hhmmkcko.exe
        39⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Hjkigojc.exe
        
        C:\Windows\system32\Hjkigojc.exe
        40⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Hmifcjif.exe
        
        C:\Windows\system32\Hmifcjif.exe
        41⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Hphbpehj.exe
        
        C:\Windows\system32\Hphbpehj.exe
        42⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Hhojqcil.exe
        
        C:\Windows\system32\Hhojqcil.exe
        43⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Hoibmmpi.exe
        
        C:\Windows\system32\Hoibmmpi.exe
        44⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Hagnihom.exe
        
        C:\Windows\system32\Hagnihom.exe
        45⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ijpcbn32.exe
        
        C:\Windows\system32\Ijpcbn32.exe
        46⤵
        Modifies registry class
        
        PID:8740
        
        C:\Windows\SysWOW64\Imnoni32.exe
        
        C:\Windows\system32\Imnoni32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1196
        
        C:\Windows\SysWOW64\Ionlhlld.exe
        
        C:\Windows\system32\Ionlhlld.exe
        48⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Impldi32.exe
        
        C:\Windows\system32\Impldi32.exe
        49⤵
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Idjdqc32.exe
        
        C:\Windows\system32\Idjdqc32.exe
        50⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Iandjg32.exe
        
        C:\Windows\system32\Iandjg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7232
        
        C:\Windows\SysWOW64\Ihhmgaqb.exe
        
        C:\Windows\system32\Ihhmgaqb.exe
        52⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Ikgicmpe.exe
        
        C:\Windows\system32\Ikgicmpe.exe
        53⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Iaqapggb.exe
        
        C:\Windows\system32\Iaqapggb.exe
        54⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ihkila32.exe
        
        C:\Windows\system32\Ihkila32.exe
        55⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Jmlkpgia.exe
        
        C:\Windows\system32\Jmlkpgia.exe
        56⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Jdfcla32.exe
        
        C:\Windows\system32\Jdfcla32.exe
        57⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Jgdphm32.exe
        
        C:\Windows\system32\Jgdphm32.exe
        58⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Jolhjj32.exe
        
        C:\Windows\system32\Jolhjj32.exe
        59⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Jpmdabfb.exe
        
        C:\Windows\system32\Jpmdabfb.exe
        60⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Jdhpba32.exe
        
        C:\Windows\system32\Jdhpba32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7884
        
        C:\Windows\SysWOW64\Jggmnmmo.exe
        
        C:\Windows\system32\Jggmnmmo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Jmqekg32.exe
        
        C:\Windows\system32\Jmqekg32.exe
        63⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Jpoagb32.exe
        
        C:\Windows\system32\Jpoagb32.exe
        64⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        65⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Jncapf32.exe
        
        C:\Windows\system32\Jncapf32.exe
        66⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Kdmjmqjf.exe
        
        C:\Windows\system32\Kdmjmqjf.exe
        67⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Khifno32.exe
        
        C:\Windows\system32\Khifno32.exe
        68⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Knenffqf.exe
        
        C:\Windows\system32\Knenffqf.exe
        69⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Kdpfbp32.exe
        
        C:\Windows\system32\Kdpfbp32.exe
        70⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Kgnbol32.exe
        
        C:\Windows\system32\Kgnbol32.exe
        71⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Knhkkfod.exe
        
        C:\Windows\system32\Knhkkfod.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3804
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        73⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Khmoionj.exe
        
        C:\Windows\system32\Khmoionj.exe
        74⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Kklkej32.exe
        
        C:\Windows\system32\Kklkej32.exe
        75⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Knjhae32.exe
        
        C:\Windows\system32\Knjhae32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:236
        
        C:\Windows\SysWOW64\Kphdma32.exe
        
        C:\Windows\system32\Kphdma32.exe
        77⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Khplnn32.exe
        
        C:\Windows\system32\Khplnn32.exe
        78⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Kojdkhdd.exe
        
        C:\Windows\system32\Kojdkhdd.exe
        79⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Khbhdn32.exe
        
        C:\Windows\system32\Khbhdn32.exe
        80⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Kolaqh32.exe
        
        C:\Windows\system32\Kolaqh32.exe
        81⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        82⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Loqjlg32.exe
        
        C:\Windows\system32\Loqjlg32.exe
        83⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Cnbmolhd.exe
        
        C:\Windows\system32\Cnbmolhd.exe
        84⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Ijcaaibe.exe
        
        C:\Windows\system32\Ijcaaibe.exe
        85⤵
        Modifies registry class
        
        PID:8560
        
        C:\Windows\SysWOW64\Idieob32.exe
        
        C:\Windows\system32\Idieob32.exe
        86⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Ipcomo32.exe
        
        C:\Windows\system32\Ipcomo32.exe
        87⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Icalij32.exe
        
        C:\Windows\system32\Icalij32.exe
        88⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Ikickgnf.exe
        
        C:\Windows\system32\Ikickgnf.exe
        89⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Igpdph32.exe
        
        C:\Windows\system32\Igpdph32.exe
        90⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Illmho32.exe
        
        C:\Windows\system32\Illmho32.exe
        91⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Inlibb32.exe
        
        C:\Windows\system32\Inlibb32.exe
        92⤵
        
        PID:9000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acmobchj.exe

Filesize
337KB

MD5
71ae711fd0d520aa4d3ba07e492097db

SHA1
bca2716ea705560999961afa857560b64abd016d

SHA256
2f9db64c094b3b6d20302afc7eb830134050a6045663953ae3232216e237538b

SHA512
1fab0ae631c8cf19a8cf850499e9d31629a22a0a4df7d5b51709ee6fc768df6c6bac0b83b2c95704cc05b157683c00488fe7fcc4c53c57f6c2d33c203a1fe7a5

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
337KB

MD5
ef21e512dfe5ee1942c040f24fc57e4e

SHA1
2b2066ba12e91711da0e1cefe00899a1cfbd25bb

SHA256
7e6a955612adf42186baeb17af0621d34d0b3e38fc0fcf5f9a17a3eced8fea99

SHA512
7ed96000bc6cd512cede106c8b533d5c3e8f3a9abf18341f5ff244fa9debdbbec0b57fcf860ba07a5a54f37995a086888b3ebbb6123bddeeeb5b8f59ecf10168

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
337KB

MD5
fedf85a35a5db1f831aa32532b1451bf

SHA1
9d11dff71da2241e11771f87deaed8e2535222ac

SHA256
5efc70a0bbfade5573c45ec0f17a388f2ef6d661cc3191235eaf9b6826dd64b5

SHA512
08151abd8602bb94102656c7f5ea5305a416e65c47122078eca9098d17d533b8fa1af3bd8296f74fb0de61140569bb18c7ca9b4174503d7be54dedf185c2ab52

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
337KB

MD5
2b152dfa8f18df1f96e5febcb94d868c

SHA1
3e43ca1681aec9282e39fe1d087b23489c1cb360

SHA256
6a9f362094816fbb8fb0f5a5b00ac717df3eabc6bc74c3c7ae29e380565cd84c

SHA512
9e756553cb9d2a5f6ac7ea9dea253b2dfdf8502aeb37e09c7df12707693dd5a54f9034be568604814260f0d61dedc52571a2b978a892420c598e86715fec26dc

Download Submit
C:\Windows\SysWOW64\Caienjfd.exe

Filesize
337KB

MD5
0f4e4f84079496fc1842c33727f9e3ec

SHA1
a0b0102726a571f3350854ef7f1352fb4b8e6db7

SHA256
4ec17277192ca58a0b8f0d575893aa65ea8dec2c51d5422274e19ad672bd40b9

SHA512
d945a4901a391b3076d912cb5c29eb0cea7c80ebb4c1b8777e8170065b20a92e9e18d92bf09e61d976c0fb1b96949cd5f700c95d4ed60d24d0cc1d850c8e9d9d

Download Submit
C:\Windows\SysWOW64\Caienjfd.exe

Filesize
337KB

MD5
0f4e4f84079496fc1842c33727f9e3ec

SHA1
a0b0102726a571f3350854ef7f1352fb4b8e6db7

SHA256
4ec17277192ca58a0b8f0d575893aa65ea8dec2c51d5422274e19ad672bd40b9

SHA512
d945a4901a391b3076d912cb5c29eb0cea7c80ebb4c1b8777e8170065b20a92e9e18d92bf09e61d976c0fb1b96949cd5f700c95d4ed60d24d0cc1d850c8e9d9d

Download Submit
C:\Windows\SysWOW64\Cfadkb32.exe

Filesize
337KB

MD5
d95ffa14e1340759be0d0ceaf614e252

SHA1
bab775e9823a43ed8f1b5a6812e7d2809efcf799

SHA256
f31362681ae4bc6923dd4de16bb12a97e42e8597e6323cb2f3a51e3da6d8df79

SHA512
a56ecd64be4ec9bee3e9191f5bc3e0313a5c4a06742bb35658da7cf125aba909601ed2220418070e74ac82e586d2a7940165ada931e321991c5e0eb9d84fa47b

Download Submit
C:\Windows\SysWOW64\Cfadkb32.exe

Filesize
337KB

MD5
d95ffa14e1340759be0d0ceaf614e252

SHA1
bab775e9823a43ed8f1b5a6812e7d2809efcf799

SHA256
f31362681ae4bc6923dd4de16bb12a97e42e8597e6323cb2f3a51e3da6d8df79

SHA512
a56ecd64be4ec9bee3e9191f5bc3e0313a5c4a06742bb35658da7cf125aba909601ed2220418070e74ac82e586d2a7940165ada931e321991c5e0eb9d84fa47b

Download Submit
C:\Windows\SysWOW64\Cffmfadl.exe

Filesize
337KB

MD5
2a216f8c841b96d3f33094a1f697fb88

SHA1
004a633eb9a35aacc3ee9971c4f84585e579abef

SHA256
1298223e186f91ea3f1d68c0b58f74d092a5ea2d5f27461f49be79e9fb1f25a4

SHA512
16e8611437c105da0088094b9feac51a6aca25379f2295bdb8901f715700ef0f5144ecec72be330ad72c7c0433570e331e4270580af81220d16405c667661942

Download Submit
C:\Windows\SysWOW64\Cffmfadl.exe

Filesize
337KB

MD5
2a216f8c841b96d3f33094a1f697fb88

SHA1
004a633eb9a35aacc3ee9971c4f84585e579abef

SHA256
1298223e186f91ea3f1d68c0b58f74d092a5ea2d5f27461f49be79e9fb1f25a4

SHA512
16e8611437c105da0088094b9feac51a6aca25379f2295bdb8901f715700ef0f5144ecec72be330ad72c7c0433570e331e4270580af81220d16405c667661942

Download Submit
C:\Windows\SysWOW64\Cgqqdeod.exe

Filesize
337KB

MD5
34d67a8ddbe163e761629507e58a709a

SHA1
eff5016e211ef984bc88bc503d72ab37565c9228

SHA256
41eee576b03b297c049fcb132150e4f0c64145c85947d56923d6966362f940a6

SHA512
1e1d01c05b84067300e757e793f9cb86c52609c69760174fb49931bebadc0dc24e999ca0af85aae5fdc93232314f6d0fbb4e8f309e9be33d29eee19b006724d5

Download Submit
C:\Windows\SysWOW64\Cgqqdeod.exe

Filesize
337KB

MD5
34d67a8ddbe163e761629507e58a709a

SHA1
eff5016e211ef984bc88bc503d72ab37565c9228

SHA256
41eee576b03b297c049fcb132150e4f0c64145c85947d56923d6966362f940a6

SHA512
1e1d01c05b84067300e757e793f9cb86c52609c69760174fb49931bebadc0dc24e999ca0af85aae5fdc93232314f6d0fbb4e8f309e9be33d29eee19b006724d5

Download Submit
C:\Windows\SysWOW64\Ckclhn32.exe

Filesize
337KB

MD5
e447c0b0e28e668ecdad326d05e71608

SHA1
4c46a4b69cec10fc176d88127b3bc80d611855c1

SHA256
06636e040e3d4717bd9b89a007e2f055cb3e0fec902ce95142117c4abcd27015

SHA512
10f08693a030b0b93c05f3cfaeabf473643b60588059853b72a2e64937c73de2e9b035cdd1dd002c4389f06566bb4e5e95104caf0a5aa699b767eda1b98e47f5

Download Submit
C:\Windows\SysWOW64\Cnbmolhd.exe

Filesize
337KB

MD5
94941a27318a03afab6951c328627854

SHA1
da1913a2210ed4f6a591affc925d4897709c2069

SHA256
d17d1bbf2efddef4b6a19b0aad49dc9e8f3ae2adab22418e3806d7ccca8c34b2

SHA512
de71c62926dc19dc3a490bea7427c0392392ecff13de458e17bac13307f09f1d93ad394809d5bd89b892bd6cfd436367aecdd5e8786ccadc9c172a5bb2919012

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
337KB

MD5
af7e4e6b5d6845b9afd0be709f775bd9

SHA1
51eec63ff1785f5b5e85bc749b543a3d4cf7be36

SHA256
6efb1c7553382fa92ad6f8f1844419c381698e5c436bfc11118ade93202ef96e

SHA512
316ae8b4be7bc21c82ae48de44106af64a4cef2ce191dcc1e57318ec8969433d195acd133fb6176f800171de43aa421992f0de6884ba0abafd0d0a59e8f04c62

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
337KB

MD5
af7e4e6b5d6845b9afd0be709f775bd9

SHA1
51eec63ff1785f5b5e85bc749b543a3d4cf7be36

SHA256
6efb1c7553382fa92ad6f8f1844419c381698e5c436bfc11118ade93202ef96e

SHA512
316ae8b4be7bc21c82ae48de44106af64a4cef2ce191dcc1e57318ec8969433d195acd133fb6176f800171de43aa421992f0de6884ba0abafd0d0a59e8f04c62

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
337KB

MD5
af7e4e6b5d6845b9afd0be709f775bd9

SHA1
51eec63ff1785f5b5e85bc749b543a3d4cf7be36

SHA256
6efb1c7553382fa92ad6f8f1844419c381698e5c436bfc11118ade93202ef96e

SHA512
316ae8b4be7bc21c82ae48de44106af64a4cef2ce191dcc1e57318ec8969433d195acd133fb6176f800171de43aa421992f0de6884ba0abafd0d0a59e8f04c62

Download Submit
C:\Windows\SysWOW64\Dgejpd32.exe

Filesize
337KB

MD5
135a2b6c615641eb492acaf975cf9ba7

SHA1
a0715d28d377a5e9b5ac6d02ef1ebcddb71c5230

SHA256
234233ae68bbe5db5ff470c585bf242fd7a1c7b0a4d1fa3d8acf187836b7c19e

SHA512
3729ed65674008dd081d433867c556da9e5f6f1abfce9245036fbe0de749a6d75376f93f7dba20b9ee607cdccf7e466fa010b4daa9b9fbfc53f2cfc95f469a17

Download Submit
C:\Windows\SysWOW64\Dgejpd32.exe

Filesize
337KB

MD5
135a2b6c615641eb492acaf975cf9ba7

SHA1
a0715d28d377a5e9b5ac6d02ef1ebcddb71c5230

SHA256
234233ae68bbe5db5ff470c585bf242fd7a1c7b0a4d1fa3d8acf187836b7c19e

SHA512
3729ed65674008dd081d433867c556da9e5f6f1abfce9245036fbe0de749a6d75376f93f7dba20b9ee607cdccf7e466fa010b4daa9b9fbfc53f2cfc95f469a17

Download Submit
C:\Windows\SysWOW64\Dhomfc32.exe

Filesize
337KB

MD5
148d5222ce60547f83d4a789835eb54c

SHA1
9afb4ebaa2fa3f507668044c2ff67b4411b5a07b

SHA256
fd7005f574bd18342cf2dc660fdf9ac8f7e01c2e7fdcdefcd8c052014dd650d2

SHA512
2278891ca8bc92366accd4d69b0e726c75c635bcf671d1729c6d0f2a990671317a9cbbb96e5a3976a209e567a15a42e37e943c009bbe9070e16470cd26599137

Download Submit
C:\Windows\SysWOW64\Dhomfc32.exe

Filesize
337KB

MD5
148d5222ce60547f83d4a789835eb54c

SHA1
9afb4ebaa2fa3f507668044c2ff67b4411b5a07b

SHA256
fd7005f574bd18342cf2dc660fdf9ac8f7e01c2e7fdcdefcd8c052014dd650d2

SHA512
2278891ca8bc92366accd4d69b0e726c75c635bcf671d1729c6d0f2a990671317a9cbbb96e5a3976a209e567a15a42e37e943c009bbe9070e16470cd26599137

Download Submit
C:\Windows\SysWOW64\Dpckjfgg.exe

Filesize
337KB

MD5
0d17142f8b8bfe2d4535416be1c992b5

SHA1
1217da904dacc839cee25d4c3c6b282c09ce5fcd

SHA256
6d481f04606250047a8710a1002fac8468c8e8e5d6283835cc03cf4ff6ce779f

SHA512
bd5d894ae7cc1a33be068a7c4831b6646f0e7f40482b2e4c220e902621fe0cdd46307ff6918f2b9a3c54d21e55b9eb13d7e764eb9e695a21dc19405fa943eee5

Download Submit
C:\Windows\SysWOW64\Dpckjfgg.exe

Filesize
337KB

MD5
0d17142f8b8bfe2d4535416be1c992b5

SHA1
1217da904dacc839cee25d4c3c6b282c09ce5fcd

SHA256
6d481f04606250047a8710a1002fac8468c8e8e5d6283835cc03cf4ff6ce779f

SHA512
bd5d894ae7cc1a33be068a7c4831b6646f0e7f40482b2e4c220e902621fe0cdd46307ff6918f2b9a3c54d21e55b9eb13d7e764eb9e695a21dc19405fa943eee5

Download Submit
C:\Windows\SysWOW64\Dpehof32.exe

Filesize
337KB

MD5
8471af31b81b0fe89794e1bb08632a00

SHA1
80f34a9254bba704783c122ea8368739dcf18f95

SHA256
3a5f8767db328f32b2b433af5b391f36036ab786a1039759fc5b1e622f8c6cfa

SHA512
5f6810a6644b942a5bfc3646b1ac6105e601b324eeedbeca0684590b459abe1333a576af2722a8ab8c0d03c1cabf5636247c008854a1b9591d9f2d2f574b90be

Download Submit
C:\Windows\SysWOW64\Dpehof32.exe

Filesize
337KB

MD5
8471af31b81b0fe89794e1bb08632a00

SHA1
80f34a9254bba704783c122ea8368739dcf18f95

SHA256
3a5f8767db328f32b2b433af5b391f36036ab786a1039759fc5b1e622f8c6cfa

SHA512
5f6810a6644b942a5bfc3646b1ac6105e601b324eeedbeca0684590b459abe1333a576af2722a8ab8c0d03c1cabf5636247c008854a1b9591d9f2d2f574b90be

Download Submit
C:\Windows\SysWOW64\Eaindh32.exe

Filesize
337KB

MD5
66cf311cd01e3c42c513ff0a910dd7b3

SHA1
b1cc567e10b1168057da110f487ee3a1a5ee2057

SHA256
fb81cdfab1acbaf93202abfcf6b03344d7fd4b02ea49bba91172a6f72914557e

SHA512
2b0b94de13e4943e24da42433ffbacede9388a4bda69e7676db5bbbf03d4c46e3e74ac66335fa3f98a9a296648dfb4e727f0eb483d4a538bdb29f0feb60556bb

Download Submit
C:\Windows\SysWOW64\Eaindh32.exe

Filesize
337KB

MD5
66cf311cd01e3c42c513ff0a910dd7b3

SHA1
b1cc567e10b1168057da110f487ee3a1a5ee2057

SHA256
fb81cdfab1acbaf93202abfcf6b03344d7fd4b02ea49bba91172a6f72914557e

SHA512
2b0b94de13e4943e24da42433ffbacede9388a4bda69e7676db5bbbf03d4c46e3e74ac66335fa3f98a9a296648dfb4e727f0eb483d4a538bdb29f0feb60556bb

Download Submit
C:\Windows\SysWOW64\Eangpgcl.exe

Filesize
337KB

MD5
608f86ab9f814ee367502b32506e402a

SHA1
945770cc7c4d2671eb978108441a1d3d17195aca

SHA256
537c32aafd58d3eda24246e90fcdb86b97df42ed30f390aad6e34d607957003a

SHA512
38825a47f6597fb91524473f85ffaf512812cddb4fddc7f3777fd1805cb315c3babb26f40701adfd08601e46f5b67df73a64a0654d76c872b2c23493fb46c56d

Download Submit
C:\Windows\SysWOW64\Eangpgcl.exe

Filesize
337KB

MD5
608f86ab9f814ee367502b32506e402a

SHA1
945770cc7c4d2671eb978108441a1d3d17195aca

SHA256
537c32aafd58d3eda24246e90fcdb86b97df42ed30f390aad6e34d607957003a

SHA512
38825a47f6597fb91524473f85ffaf512812cddb4fddc7f3777fd1805cb315c3babb26f40701adfd08601e46f5b67df73a64a0654d76c872b2c23493fb46c56d

Download Submit
C:\Windows\SysWOW64\Eaqdegaj.exe

Filesize
337KB

MD5
b4f3fda6045b74c15a645e9964789282

SHA1
e8c00d633588bdbb06a4b87f54f984365ae7ea64

SHA256
0cbe676ad36eb6e18f4eec5d72dfbdcf857ef1e4dc33c060ba8f8852381ec99c

SHA512
8e811dff43373c5a278cf43e34125efcfcc062f0f71586fdeea440cfecd3919cc644c74fee98f53a7d1120dcd13ec2b716374070865eb669b768da657f363b5f

Download Submit
C:\Windows\SysWOW64\Eaqdegaj.exe

Filesize
337KB

MD5
b4f3fda6045b74c15a645e9964789282

SHA1
e8c00d633588bdbb06a4b87f54f984365ae7ea64

SHA256
0cbe676ad36eb6e18f4eec5d72dfbdcf857ef1e4dc33c060ba8f8852381ec99c

SHA512
8e811dff43373c5a278cf43e34125efcfcc062f0f71586fdeea440cfecd3919cc644c74fee98f53a7d1120dcd13ec2b716374070865eb669b768da657f363b5f

Download Submit
C:\Windows\SysWOW64\Eeddfe32.exe

Filesize
337KB

MD5
a45710b51bace9b65f1cc0d47edd005b

SHA1
f75550ec67429dccdcba8d1708b19dbee295894e

SHA256
88d0a694d875655071694f9a11a995d193534f4eb82011b14892ccc227cc7b2c

SHA512
6e424386ad63a2511692fbfc56a0453ae624f3b2eb001b825d60b5c1dd29dcd49706af6959b5ae407f5f0e3d11e25338d7ca633fb3c2d7bc8edfb8d7544cd813

Download Submit
C:\Windows\SysWOW64\Fdcjlb32.exe

Filesize
337KB

MD5
87526abf0b1482219fcf55739fe79cba

SHA1
16abf2133b1b84e9139cf4e3e083c586e134508c

SHA256
3efd9f796761b00e4aae44e92b8f0213134041223f87ea9b7176adc920e0a455

SHA512
1e9cf4ff71e8be55990a20463cdb109efc762e2bb5a1f22c3d02b317b7196ba6c6683bc228e32f08d3a827a3980f61df24350423f51f92d0390430d5e2e291f5

Download Submit
C:\Windows\SysWOW64\Fdcjlb32.exe

Filesize
337KB

MD5
87526abf0b1482219fcf55739fe79cba

SHA1
16abf2133b1b84e9139cf4e3e083c586e134508c

SHA256
3efd9f796761b00e4aae44e92b8f0213134041223f87ea9b7176adc920e0a455

SHA512
1e9cf4ff71e8be55990a20463cdb109efc762e2bb5a1f22c3d02b317b7196ba6c6683bc228e32f08d3a827a3980f61df24350423f51f92d0390430d5e2e291f5

Download Submit
C:\Windows\SysWOW64\Fdhcgaic.exe

Filesize
337KB

MD5
82a5f0c336b4194d463557d30a0b7c8f

SHA1
090c878c7880995dd678a166200d0f8643c1572c

SHA256
eb639e30daa57cadf465f280f9384471cea503a9c8e0e97a0862d8a98f370582

SHA512
58ef4ddd83256585ba7d1c97e1c70475fffdcf5caff2227dd8e0b53a570721bb86825a151709afa388bc8d35384a998362c0ace1940af13e035f8817788bff26

Download Submit
C:\Windows\SysWOW64\Fdhcgaic.exe

Filesize
337KB

MD5
82a5f0c336b4194d463557d30a0b7c8f

SHA1
090c878c7880995dd678a166200d0f8643c1572c

SHA256
eb639e30daa57cadf465f280f9384471cea503a9c8e0e97a0862d8a98f370582

SHA512
58ef4ddd83256585ba7d1c97e1c70475fffdcf5caff2227dd8e0b53a570721bb86825a151709afa388bc8d35384a998362c0ace1940af13e035f8817788bff26

Download Submit
C:\Windows\SysWOW64\Fhmigagd.exe

Filesize
337KB

MD5
555b38c6f72d93450aea79026e0d7c50

SHA1
9d5e822e7f11fc760bf83f3e7aeefe67d17a083b

SHA256
b5585d155844ed888db04772333457436a4808b10b32ee98fc5424e34d8260cb

SHA512
d485bcc0ba6d38b7086ca8c7c9da715008db944a6ebc2abaadb3dcdddf7c10e5d1429f422fcec23932e76713e0f22e01c57b286f26620f328255212b15b81a54

Download Submit
C:\Windows\SysWOW64\Fhmigagd.exe

Filesize
337KB

MD5
555b38c6f72d93450aea79026e0d7c50

SHA1
9d5e822e7f11fc760bf83f3e7aeefe67d17a083b

SHA256
b5585d155844ed888db04772333457436a4808b10b32ee98fc5424e34d8260cb

SHA512
d485bcc0ba6d38b7086ca8c7c9da715008db944a6ebc2abaadb3dcdddf7c10e5d1429f422fcec23932e76713e0f22e01c57b286f26620f328255212b15b81a54

Download Submit
C:\Windows\SysWOW64\Fibojhim.exe

Filesize
337KB

MD5
cdc0eb6e0b7822c864b9f2a80b3aa1ca

SHA1
c9eccc613278ea174bbe3d36244b711434ee49fe

SHA256
a653a7aa15a766ebda08a8e8a5bcfb11cdd00f029ea2e60fd842f023618873c9

SHA512
139445e11b439e41f39d57aac59cefd61038bd6f202e39936e9f798496a3e774daf84ed6cf9818bcc538c948713acf3b0343ce48de8d5c0d37c5218ad5b3913a

Download Submit
C:\Windows\SysWOW64\Fibojhim.exe

Filesize
337KB

MD5
cdc0eb6e0b7822c864b9f2a80b3aa1ca

SHA1
c9eccc613278ea174bbe3d36244b711434ee49fe

SHA256
a653a7aa15a766ebda08a8e8a5bcfb11cdd00f029ea2e60fd842f023618873c9

SHA512
139445e11b439e41f39d57aac59cefd61038bd6f202e39936e9f798496a3e774daf84ed6cf9818bcc538c948713acf3b0343ce48de8d5c0d37c5218ad5b3913a

Download Submit
C:\Windows\SysWOW64\Fielph32.exe

Filesize
337KB

MD5
56809919c46f270e804ca43bbba76008

SHA1
f0dce03e466eb2fc69b06424532ce9619fbcf394

SHA256
99fc5e01f2be54ae9c3b2d037d90ef49d6d12f8118380331e63093c909fde402

SHA512
ce5be186c45f76f6c1d437e4a0baedc5ec3d35c4dc31a234b618b05c325e0d0161e61598e2aa5b1441bf95c963a002e5024e1cc2080e190e10b4a3a154dd28eb

Download Submit
C:\Windows\SysWOW64\Fielph32.exe

Filesize
337KB

MD5
56809919c46f270e804ca43bbba76008

SHA1
f0dce03e466eb2fc69b06424532ce9619fbcf394

SHA256
99fc5e01f2be54ae9c3b2d037d90ef49d6d12f8118380331e63093c909fde402

SHA512
ce5be186c45f76f6c1d437e4a0baedc5ec3d35c4dc31a234b618b05c325e0d0161e61598e2aa5b1441bf95c963a002e5024e1cc2080e190e10b4a3a154dd28eb

Download Submit
C:\Windows\SysWOW64\Filiii32.exe

Filesize
337KB

MD5
490e2110941e350140fab308ced32ada

SHA1
1efeeb13365a64ffedd587eaa1f4fd470cacfc27

SHA256
2c286f1d558ec7a998404ad6fbd6bd90168d779fea36ac03dd2f9caa337d3934

SHA512
b8216ffb7f51b04e86b816fde22f68afbe4d2a63c5952bba56e91b9972291f381412fee30f4b5a662f608fd69ea2a5b74c3d761824a1233f35c2dafcf55a90cf

Download Submit
C:\Windows\SysWOW64\Filiii32.exe

Filesize
337KB

MD5
490e2110941e350140fab308ced32ada

SHA1
1efeeb13365a64ffedd587eaa1f4fd470cacfc27

SHA256
2c286f1d558ec7a998404ad6fbd6bd90168d779fea36ac03dd2f9caa337d3934

SHA512
b8216ffb7f51b04e86b816fde22f68afbe4d2a63c5952bba56e91b9972291f381412fee30f4b5a662f608fd69ea2a5b74c3d761824a1233f35c2dafcf55a90cf

Download Submit
C:\Windows\SysWOW64\Flekihpc.exe

Filesize
337KB

MD5
e4689911a189a79207da4aa01aff77fa

SHA1
27040cbdfc8710e8888ee603fd0a9576fcb26ce2

SHA256
426efd874bf56d7359545e37661e39ceb1907483900eac8b64cbef28203254da

SHA512
287d91121c4c91db0f3d567abb63d1a89b1b2994340ff2ee0a84f79541fcf4a4baae20dfc5ead370a5c8ee881bb668a35ff6604e5066a30606d474489b281213

Download Submit
C:\Windows\SysWOW64\Fmlneg32.exe

Filesize
337KB

MD5
d9598a72d145fba58cb126e8e2e93fe7

SHA1
0873e32067df7c332f0270caf1baecfa572c0823

SHA256
6cab5138b631a8b69da6ecadf4139f90ca1a3f2a65887e172350fdfbb6bddad7

SHA512
7ca2b744051708612383002ea5db748f63e6c141cf344e5173fb6276e137d9a4c2a5272e9199934ee82cf3788659f5d4f688a8ee796be717cf6507e75348b51b

Download Submit
C:\Windows\SysWOW64\Fmlneg32.exe

Filesize
337KB

MD5
d9598a72d145fba58cb126e8e2e93fe7

SHA1
0873e32067df7c332f0270caf1baecfa572c0823

SHA256
6cab5138b631a8b69da6ecadf4139f90ca1a3f2a65887e172350fdfbb6bddad7

SHA512
7ca2b744051708612383002ea5db748f63e6c141cf344e5173fb6276e137d9a4c2a5272e9199934ee82cf3788659f5d4f688a8ee796be717cf6507e75348b51b

Download Submit
C:\Windows\SysWOW64\Gdfoio32.exe

Filesize
337KB

MD5
a91bce04d56b71fc28fabc06e1e77eaf

SHA1
032dda261cf030ef8d897434cddf67e534c1e6fa

SHA256
25c37c90aeaa013e2a46e6a7cbcce075d1d6829a755d6496aefd2965f802b81d

SHA512
17a3c5a0ec9295dbedce64f16d26d0a26b42caf2511a57183403cd34d00b22933792cc4bda99770464f6caffb18d800b56ac3961c4fc3cc4bac4ccc69bde476c

Download Submit
C:\Windows\SysWOW64\Gdfoio32.exe

Filesize
337KB

MD5
a91bce04d56b71fc28fabc06e1e77eaf

SHA1
032dda261cf030ef8d897434cddf67e534c1e6fa

SHA256
25c37c90aeaa013e2a46e6a7cbcce075d1d6829a755d6496aefd2965f802b81d

SHA512
17a3c5a0ec9295dbedce64f16d26d0a26b42caf2511a57183403cd34d00b22933792cc4bda99770464f6caffb18d800b56ac3961c4fc3cc4bac4ccc69bde476c

Download Submit
C:\Windows\SysWOW64\Ghpocngo.exe

Filesize
337KB

MD5
2fe93809d705ccf4192f23f8cc41b919

SHA1
fc45365e7cd96ec26fcff178331e8d63d2a65c80

SHA256
213142d9e97f22e8d60f873f05ee0d8913eda6cc29ca28da56fc6ef0b9818a28

SHA512
30c8ab2028d7d2723bec629d705b2e0615502c2a32ec15925de406a99c20edc21ea28828316e7eeda359d5b148ce088cfa0b89ed007d67f784bc21244160a95f

Download Submit
C:\Windows\SysWOW64\Ghpocngo.exe

Filesize
337KB

MD5
2fe93809d705ccf4192f23f8cc41b919

SHA1
fc45365e7cd96ec26fcff178331e8d63d2a65c80

SHA256
213142d9e97f22e8d60f873f05ee0d8913eda6cc29ca28da56fc6ef0b9818a28

SHA512
30c8ab2028d7d2723bec629d705b2e0615502c2a32ec15925de406a99c20edc21ea28828316e7eeda359d5b148ce088cfa0b89ed007d67f784bc21244160a95f

Download Submit
C:\Windows\SysWOW64\Gigheh32.exe

Filesize
337KB

MD5
fa828a80178e487fa24fe6d67f12600f

SHA1
bff77123f2d489c6fa4625315d240e4ea3a09445

SHA256
3e0e788c8852af8ef1cae27b5363f04a7b9ca00d80998b97fcdd691d60d90ff9

SHA512
751d1634a87929bd021ccea54a4f4ad00f30e26ff7c9319621c1cab5ef5e52429f2b0252c523df606a9a4716ec58144707a38f4d8969adf63d2f02d225d3c489

Download Submit
C:\Windows\SysWOW64\Gigheh32.exe

Filesize
337KB

MD5
fa828a80178e487fa24fe6d67f12600f

SHA1
bff77123f2d489c6fa4625315d240e4ea3a09445

SHA256
3e0e788c8852af8ef1cae27b5363f04a7b9ca00d80998b97fcdd691d60d90ff9

SHA512
751d1634a87929bd021ccea54a4f4ad00f30e26ff7c9319621c1cab5ef5e52429f2b0252c523df606a9a4716ec58144707a38f4d8969adf63d2f02d225d3c489

Download Submit
C:\Windows\SysWOW64\Gkiaej32.exe

Filesize
337KB

MD5
fa828a80178e487fa24fe6d67f12600f

SHA1
bff77123f2d489c6fa4625315d240e4ea3a09445

SHA256
3e0e788c8852af8ef1cae27b5363f04a7b9ca00d80998b97fcdd691d60d90ff9

SHA512
751d1634a87929bd021ccea54a4f4ad00f30e26ff7c9319621c1cab5ef5e52429f2b0252c523df606a9a4716ec58144707a38f4d8969adf63d2f02d225d3c489

Download Submit
C:\Windows\SysWOW64\Gkiaej32.exe

Filesize
337KB

MD5
c05ef97ae810bf5dd8fc1d8a10bc56a9

SHA1
3dd4211cf284fdba21d945a3f11e0a9168cfa275

SHA256
13ae731eeeb68b634aa84b70b6848cb2847f08ec98c8768bf831690ffed1dc7c

SHA512
0113ce03a78b89940fa921d9daae7cebca0bfa1da66871b864acb1b292172b5c9354e4acb0fcaeda2d847d8abb2668ef04136a8520456e0c448d5f5202521cde

Download Submit
C:\Windows\SysWOW64\Gkiaej32.exe

Filesize
337KB

MD5
c05ef97ae810bf5dd8fc1d8a10bc56a9

SHA1
3dd4211cf284fdba21d945a3f11e0a9168cfa275

SHA256
13ae731eeeb68b634aa84b70b6848cb2847f08ec98c8768bf831690ffed1dc7c

SHA512
0113ce03a78b89940fa921d9daae7cebca0bfa1da66871b864acb1b292172b5c9354e4acb0fcaeda2d847d8abb2668ef04136a8520456e0c448d5f5202521cde

Download Submit
C:\Windows\SysWOW64\Gklnjj32.exe

Filesize
337KB

MD5
a9b6204c543eeb0671f0e4b1b3a32e4b

SHA1
c4ef9c73347b51273b45903032d494444cab91ae

SHA256
14aedc513e20d321914136e4f205fdd45d3bebb09fa8440a1c85769d5520349e

SHA512
7376c2ffef5c372d95a302c128cabf1d388464759e40e2401fb3045d7e40868089255bff96ef074e49008fa209cc473b14dac8fdaea40cd928298617901d040a

Download Submit
C:\Windows\SysWOW64\Gklnjj32.exe

Filesize
337KB

MD5
a9b6204c543eeb0671f0e4b1b3a32e4b

SHA1
c4ef9c73347b51273b45903032d494444cab91ae

SHA256
14aedc513e20d321914136e4f205fdd45d3bebb09fa8440a1c85769d5520349e

SHA512
7376c2ffef5c372d95a302c128cabf1d388464759e40e2401fb3045d7e40868089255bff96ef074e49008fa209cc473b14dac8fdaea40cd928298617901d040a

Download Submit
C:\Windows\SysWOW64\Gklnjj32.exe

Filesize
337KB

MD5
a9b6204c543eeb0671f0e4b1b3a32e4b

SHA1
c4ef9c73347b51273b45903032d494444cab91ae

SHA256
14aedc513e20d321914136e4f205fdd45d3bebb09fa8440a1c85769d5520349e

SHA512
7376c2ffef5c372d95a302c128cabf1d388464759e40e2401fb3045d7e40868089255bff96ef074e49008fa209cc473b14dac8fdaea40cd928298617901d040a

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
337KB

MD5
f706af8c3bc597e0f4f861c6e173921e

SHA1
bb2b82a87cb64589be385eb857b3034c231d4e57

SHA256
943d00ce6f3b2d65dd8dde258052f5327c6db0755744a2e42b8cb71178067e27

SHA512
e5121b4e7f094d28a1c56ca0d308aa0849f20a66f558017ec06412fc5e21164c45b398d325b4542235964c691a9287c6d1c897f727c794fa0793f16a5ef6d36a

Download Submit
C:\Windows\SysWOW64\Gnlgleef.exe

Filesize
337KB

MD5
f706af8c3bc597e0f4f861c6e173921e

SHA1
bb2b82a87cb64589be385eb857b3034c231d4e57

SHA256
943d00ce6f3b2d65dd8dde258052f5327c6db0755744a2e42b8cb71178067e27

SHA512
e5121b4e7f094d28a1c56ca0d308aa0849f20a66f558017ec06412fc5e21164c45b398d325b4542235964c691a9287c6d1c897f727c794fa0793f16a5ef6d36a

Download Submit
C:\Windows\SysWOW64\Gpfjma32.exe

Filesize
337KB

MD5
33e64198bb4f27a38cb02af0596c31d1

SHA1
e9702839bbfc1da3b9278c143c9bca5beedfb4f3

SHA256
70760e600bd5eb7307f591e484103e06724c321bc080d2077fe04b8ef53924f7

SHA512
0b46588d1890a0601b372e12ed45adbfc90d4f0744c065b78b34eeff0235e570e627b7977af2d944de1a2fb09ee9daf68ab3cbc403dc8922e1cf602c181b88c3

Download Submit
C:\Windows\SysWOW64\Gpfjma32.exe

Filesize
337KB

MD5
33e64198bb4f27a38cb02af0596c31d1

SHA1
e9702839bbfc1da3b9278c143c9bca5beedfb4f3

SHA256
70760e600bd5eb7307f591e484103e06724c321bc080d2077fe04b8ef53924f7

SHA512
0b46588d1890a0601b372e12ed45adbfc90d4f0744c065b78b34eeff0235e570e627b7977af2d944de1a2fb09ee9daf68ab3cbc403dc8922e1cf602c181b88c3

Download Submit
C:\Windows\SysWOW64\Haafcb32.exe

Filesize
337KB

MD5
c0a16595385a3c1657d21b665d76e774

SHA1
9e5e92a952532b930d2250a1eb41a1dbadabd468

SHA256
7dd7bf59a50ceda70917e48873c2147c4e8ed7f6fbd167283a925b9f18dbfc5e

SHA512
e8ad8a68f108c8c74cc7f158e6b6c7a82c490c307e5c3773b02b4cd6524c595ee3707b74391fe7e88ae8afb34785bcfe3c0239dce15c7b7d8b302c98fd7f9796

Download Submit
C:\Windows\SysWOW64\Haafcb32.exe

Filesize
337KB

MD5
0cf4347c1e57c4202a69b39ca1d5ed6f

SHA1
ab60613d83ca1ece74c4c691f4d039a265a03815

SHA256
71219cabb0049c2a42c87acc0e9c81db23443c2a8f2e4d16cde798e15e642100

SHA512
8257f82213db738a41a2a57f80711351850c8a31f1b70f0afdcf853862b29ac6d2f759d235af0d63ff806b4310717db904424dc884cc416b1abd2aea497a50b8

Download Submit
C:\Windows\SysWOW64\Haafcb32.exe

Filesize
337KB

MD5
0cf4347c1e57c4202a69b39ca1d5ed6f

SHA1
ab60613d83ca1ece74c4c691f4d039a265a03815

SHA256
71219cabb0049c2a42c87acc0e9c81db23443c2a8f2e4d16cde798e15e642100

SHA512
8257f82213db738a41a2a57f80711351850c8a31f1b70f0afdcf853862b29ac6d2f759d235af0d63ff806b4310717db904424dc884cc416b1abd2aea497a50b8

Download Submit
C:\Windows\SysWOW64\Hdkidohn.exe

Filesize
337KB

MD5
e26ecb0856bf83833657fbd53a4b682e

SHA1
544bbd0da7b49e7df6443f3fb2e3d1e732bca0c2

SHA256
c2271c3ee71cc36ba33856163b3f68f4c116e2d34992ba9dd965e846f47b4036

SHA512
b80165137ef6c17ed59f8f882ff38a858bab92161df3a6ed1a7fad22132af11d4595e207090abc4f31c4694c2236b87dc65c0fa6ec42a35fbcaf1e2c1462b108

Download Submit
C:\Windows\SysWOW64\Hdkidohn.exe

Filesize
337KB

MD5
e26ecb0856bf83833657fbd53a4b682e

SHA1
544bbd0da7b49e7df6443f3fb2e3d1e732bca0c2

SHA256
c2271c3ee71cc36ba33856163b3f68f4c116e2d34992ba9dd965e846f47b4036

SHA512
b80165137ef6c17ed59f8f882ff38a858bab92161df3a6ed1a7fad22132af11d4595e207090abc4f31c4694c2236b87dc65c0fa6ec42a35fbcaf1e2c1462b108

Download Submit
C:\Windows\SysWOW64\Hdmein32.exe

Filesize
337KB

MD5
c0a16595385a3c1657d21b665d76e774

SHA1
9e5e92a952532b930d2250a1eb41a1dbadabd468

SHA256
7dd7bf59a50ceda70917e48873c2147c4e8ed7f6fbd167283a925b9f18dbfc5e

SHA512
e8ad8a68f108c8c74cc7f158e6b6c7a82c490c307e5c3773b02b4cd6524c595ee3707b74391fe7e88ae8afb34785bcfe3c0239dce15c7b7d8b302c98fd7f9796

Download Submit
C:\Windows\SysWOW64\Hdmein32.exe

Filesize
337KB

MD5
c0a16595385a3c1657d21b665d76e774

SHA1
9e5e92a952532b930d2250a1eb41a1dbadabd468

SHA256
7dd7bf59a50ceda70917e48873c2147c4e8ed7f6fbd167283a925b9f18dbfc5e

SHA512
e8ad8a68f108c8c74cc7f158e6b6c7a82c490c307e5c3773b02b4cd6524c595ee3707b74391fe7e88ae8afb34785bcfe3c0239dce15c7b7d8b302c98fd7f9796

Download Submit
C:\Windows\SysWOW64\Hkbdki32.exe

Filesize
337KB

MD5
62556eb91c2b37679df9a81e2004d21e

SHA1
d4a2edb9b2f1103c32dccc9bffe83cc16dcc6d47

SHA256
8baa1e8fd954b0b59cb75af9658f361e1db7d507bf732169c2e6d8d5f7a64536

SHA512
d95812e6a0d1ae3b5144e007ff95bdbf1eb0a25bc3c0b6ec7c166e8aa4192760d9d9bcdf78ec5e7d8b5186426628ac9f233b6e65aa763ba9e6fb6d3169a50081

Download Submit
C:\Windows\SysWOW64\Hkbdki32.exe

Filesize
337KB

MD5
62556eb91c2b37679df9a81e2004d21e

SHA1
d4a2edb9b2f1103c32dccc9bffe83cc16dcc6d47

SHA256
8baa1e8fd954b0b59cb75af9658f361e1db7d507bf732169c2e6d8d5f7a64536

SHA512
d95812e6a0d1ae3b5144e007ff95bdbf1eb0a25bc3c0b6ec7c166e8aa4192760d9d9bcdf78ec5e7d8b5186426628ac9f233b6e65aa763ba9e6fb6d3169a50081

Download Submit
C:\Windows\SysWOW64\Hnhghcki.exe

Filesize
337KB

MD5
283f0eabf5b414c8193df0c3b07f48ee

SHA1
f9ef747f14c084f7f6b54b69ffa8560030e1aca7

SHA256
5f671d68de3ff9d9d3413c59fd37513953edef1ebf49c2faa15558d33b98a845

SHA512
4725c62b82c44a7d2e124ab67f86586aa6d0671bed2547785fedd7ab253b782dcb37eb0c2765e14410f9a5eef8339ad7534bcc97e95d7dbda536b5f216653ab5

Download Submit
C:\Windows\SysWOW64\Hnhghcki.exe

Filesize
337KB

MD5
283f0eabf5b414c8193df0c3b07f48ee

SHA1
f9ef747f14c084f7f6b54b69ffa8560030e1aca7

SHA256
5f671d68de3ff9d9d3413c59fd37513953edef1ebf49c2faa15558d33b98a845

SHA512
4725c62b82c44a7d2e124ab67f86586aa6d0671bed2547785fedd7ab253b782dcb37eb0c2765e14410f9a5eef8339ad7534bcc97e95d7dbda536b5f216653ab5

Download Submit
C:\Windows\SysWOW64\Hnodaecc.exe

Filesize
337KB

MD5
9b5a7cbaa3796f21f54bdc5241778b91

SHA1
40f8f6aa15edfd836bd068bb0ab7a922fbc979e0

SHA256
58a5d8d0817851cce42717186cd8d5d72a89d10a41d9eb911bdffccf90af0a60

SHA512
117881cbda3eb7d70c221f3c04a388b8a61c8f46cc52e8360758769bdec5c6d10502d1031ce9d4570e9908f4a5c966741c2f35bae11798521ae55e111a90adf4

Download Submit
C:\Windows\SysWOW64\Hnodaecc.exe

Filesize
337KB

MD5
9b5a7cbaa3796f21f54bdc5241778b91

SHA1
40f8f6aa15edfd836bd068bb0ab7a922fbc979e0

SHA256
58a5d8d0817851cce42717186cd8d5d72a89d10a41d9eb911bdffccf90af0a60

SHA512
117881cbda3eb7d70c221f3c04a388b8a61c8f46cc52e8360758769bdec5c6d10502d1031ce9d4570e9908f4a5c966741c2f35bae11798521ae55e111a90adf4

Download Submit
C:\Windows\SysWOW64\Ihphkl32.exe

Filesize
337KB

MD5
974f8de31c4db2454bef83d5754f5a1f

SHA1
476e8798c32a998341b083be64a1395358d1aa11

SHA256
2b4ca6e2520c356c316eff747f1babb0d45fa4e0622400a84d8a54d6fc6d75bb

SHA512
2481db67db00c1e6065d89a686e0552c26303039af546bb5330887dcd2cb424d554956d648a6c28be2b00e94dc70d23ce31167bb92c0ddd9bd220904334f9a07

Download Submit
C:\Windows\SysWOW64\Inlibb32.exe

Filesize
337KB

MD5
c0913003515c6db25979ec0266f5fcb1

SHA1
6b7f9651b8145b3d1c20acda9e4933d0114fee5c

SHA256
bfb080b0610eb7c808f82b815584e8f6cd21fdf69498bd94af42463bdde52457

SHA512
c0c8641b4faa05d03d5b7c458f3a5d53f256f83658fcfaace51167233cbab9e81b287e0bb2a8776ad9945539041ce7f701e5126b398b70ea256637575cc9a0c0

Download Submit
C:\Windows\SysWOW64\Kiejmi32.exe

Filesize
337KB

MD5
10081b2e1f7c16e372c57af00f26bb5b

SHA1
8c54025e081caad1f355b56d341a20acd814946c

SHA256
cd4734d478e74a84d9353d39f2e6502ca1e552e5863d76eed97831f4d66c5dbe

SHA512
1bcf3be62c0ca250f79786bbdbe039970ec8a84e364ce7c7dd422f1fcc0148a721548efaac986835da6ef71513a8b0f3a6683459c9f0e90dadc38091289bec2c

Download Submit
C:\Windows\SysWOW64\Lelchgne.exe

Filesize
337KB

MD5
09d982f5485ce6f7ed3d8cc5f5ac84d6

SHA1
46b5805e607bc9e5f6acca8a1d1f7f791708dff4

SHA256
99320eb86a5e88be4e9d4565f0b7ac0b0157119fffc10ef57aae107b50393abe

SHA512
cf43202968aa7890227cc6a7ce587f7c04ab57cff0585dc6c0b3843ecf2f3e4bfe05099d13bc4ef2d22c64f4bf90bd11bde254e2471612d7dc4ff4f6b81edae4

Download Submit
C:\Windows\SysWOW64\Lhadgmge.exe

Filesize
337KB

MD5
29d99b39d67a4e28a9659c4d5ae8a074

SHA1
f73678eea8fa4d7116446213c8a5d2bd24c80c4c

SHA256
054e6386ce52aee397ee83792a0736a4e7cf08a03665a696ff0f0f391f232cfd

SHA512
8482422145d8b3fb0502f313441fed2a4bb8d219e880bd67e73c28a7faeb32421c318c3f3d9eba0fb8d519f0c1120b7bb5f6a8351ce69e5c8c5ea6e0252a4063

Download Submit
C:\Windows\SysWOW64\Lijlof32.exe

Filesize
337KB

MD5
2b77df279866aa0c7ded4b97e033401d

SHA1
81afe5d0d08094a9041b9c5a5c869d517eb3c216

SHA256
069c2d790098616c3a7fee95fad073fa9df1f19fcb03c4e5ad010decbffe5e59

SHA512
9723c452f5cc37dbc6d40ebf784876085621daa2a4eac2a8c80307b8379b97ce02fbc20042afc661e10c048021c34d26313974ac90c201681871a1e40ef9f4db

Download Submit
C:\Windows\SysWOW64\Ljijci32.exe

Filesize
337KB

MD5
cbd3e3349276784ab86452f196830ce0

SHA1
2ca9abcb557ad36fc4ba02a8043db4abc349092d

SHA256
eab4df1389a557eeab075196a7dd89187a55e2d5a778eb8855fe9ff49187ec2e

SHA512
226209f76e46eaaf87673780be8acd2d23ac6bb7b5d1ca56348c58cc1b39c3af034d8cf2e3918ce0e457fa18e5a5494b34e7664d1dfe06c8a9b11a6508bb0e54

Download Submit
C:\Windows\SysWOW64\Mhfmbl32.exe

Filesize
337KB

MD5
757d523808863c71fa9ce5cf8b637fc8

SHA1
362a2fcd04daf3bb6702e1233cc2240d9f42539e

SHA256
349198f75959cb772b6bd3ecbde5cc6a893b54d14cf848bcfe613819dd1baa52

SHA512
2decfb5e0a5b1bf90a7eaef222bf2318d426888c0a835b0de2ed21395aa013f20cd3d40e73b1ac3318c63e755385ab88bef9dae96f4f0d2e5653a0c0eeb552d5

Download Submit
C:\Windows\SysWOW64\Mjbogmdb.exe

Filesize
337KB

MD5
5c193a3c86a536e325b2462967b90fdb

SHA1
8be74cfef100e31f2bf1033fc6e1a5fbda425b9f

SHA256
19a4ea20be275e7e1c2e27554858d5be44834f0c6a88774bb6eac5afb3fe26b8

SHA512
dcade2e31f7720b82f8e50bc6f9976719c507448f5f8b04f184a323d88fcd8ae7b8d60fb0c9551a1fb2dc61c9b36dae41e2058d7c6af54b094442a7eb72e22b2

Download Submit
C:\Windows\SysWOW64\Mnlnbl32.exe

Filesize
337KB

MD5
75ef0eb9d84d3c66004974b7ba1b56aa

SHA1
347936163d8a52936bb3b2ca23b93389f211a333

SHA256
52f6515eaba86eef077ff9965d51859e68495b8c9336a240954c863f7c07c73e

SHA512
317fcf18dd0736109ee4f7064521701dade36225c44a2df0f1a684234ed7eff33c7b5ffdc3295ac0ee9a5aadb44f7d386f369b3678dacacbe86066712cc74337

Download Submit
C:\Windows\SysWOW64\Neccpd32.exe

Filesize
337KB

MD5
904fc27ed5d4e404ddac28462cbc01ad

SHA1
6a36cbf9223b44de0f7aa1221c1a90540016cca4

SHA256
91e69d707df58f1a653adc3b25b8d7dd11465ccc31adeaa27c9dc1750d5cc531

SHA512
2f587173bfb9139fd5f465ef0558e61505946eb84c4c7e1738c3f4258d192d2c8f32b7358e3448163e1650567e547099288f3caca176f2fa91735290525b96df

Download Submit
C:\Windows\SysWOW64\Nefped32.exe

Filesize
337KB

MD5
2fa1f22949511d89760af19c13e41b4e

SHA1
a8259a12f9765e85fab307873c4a72d91de84771

SHA256
41b1ae1047f4e536763f350054d59e498af11024a8863b2cea4f41fd942751f5

SHA512
7e82fc31ac3c65e5b314f609f1a2ede088b9745bf210e12d3432f2dfb6524ecc96ca98c489b50b607e2080cad2b1df54d3b15cf9568ae4f4819868abbd7f7b21

Download Submit
C:\Windows\SysWOW64\Njmhhefi.exe

Filesize
337KB

MD5
cb7d54642d895b808c6b5f081e3ef3ee

SHA1
a82fbfb75f18d0f57b7f4b18b9aeaefe1209d465

SHA256
cc49e64e204b41f81160ad66de8cc10ae3317dcd392ea2fa210fa3822919f090

SHA512
f8563262ce0436acfeced56965bb56b53110b2a971c1f31565b925c08f343c662637753ecfda165da9000c51ee66a89eb962f7f0a5ce0714f1764db102983257

Download Submit
C:\Windows\SysWOW64\Nklbmllg.exe

Filesize
337KB

MD5
f8b1f8eae13a332536ae6f6668e3ac86

SHA1
777c51876c7d5e3684e5988879760167362b8795

SHA256
c02441276e15cb1a7b085fb8dabcd357fcfa377e377875d46bdb2494248ff46e

SHA512
b460a23c1425b86a7d282bc4ed4941dcb850d33f42003423709214af5caf978e1b1fa5e12c8b14cba8e38cb9499ea1ad658f93d09f5587f1a1e11b93b7c42584

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
337KB

MD5
f7dd0a783f4e182f2a543a6e2ac46c9b

SHA1
7623fde3ce5c6fdc030b0eb23461cd689d539f1e

SHA256
9af561191f585af8eb5b0e1a54cbc9c5108eb7bc752a18cb25264b2ee81be79a

SHA512
c2902d8fa7bc9eab52a1a5cefbcbd088ee2f0f2d12b11b7462625429f62b7f98d1be45f1e546dcb4a6072355b5969f64933e824e334744651df4d8e3d19ee829

Download Submit
C:\Windows\SysWOW64\Oampjeml.exe

Filesize
337KB

MD5
4eae161b1ab0722920e07d391ab122c9

SHA1
c519c868cba8b318d59b80cebd8d96296d1ec6a4

SHA256
e333f88769cc30111ebfa18ffe08ce58a7588a0c99ca52ce8414bf88b814a890

SHA512
f9b4f42386ac8c6366fb0f313c88c64549ae961af24369f4e152d1cfab4344ec4bf91bd6441d9235a6eeca6d0fd58f210c3c3f0c31306db1eb03ac8f4aca7325

Download Submit
C:\Windows\SysWOW64\Oblmdhdo.exe

Filesize
337KB

MD5
d805d61c96cf8534daa4fde960f554b3

SHA1
6b23fc9160a95596a9c68cd620af54dd6a5c8dbe

SHA256
d016529ed53276c816c7791aee2d381f99aabf0cd5ba8a45009de5966fba34c5

SHA512
d333fbd8cbacb5d6759d19f743888188f9a3b4fd5a93a4a199172fc42c47143d2835957ae4b8c028dcac795b14f9bb707da3e1dac1e6fec45994dd6cc5c7b146

Download Submit
C:\Windows\SysWOW64\Oohgdhfn.exe

Filesize
337KB

MD5
89828d1285855a199fc319ce8c074c44

SHA1
795fb4a506e1bb5477fe284af8c7282238de8be2

SHA256
b2234ed0d66afaad4ac0ee4941a9ce6e0e940a536169bff663a23466951620fe

SHA512
3c5aeae3500d55cd8335e68b06145448d7f35500cb14a0effe243c786a36098b594d92f0b1ed1b7c892212677ff664d9573094cad79bbeb94799141c1c1dedd7

Download Submit
C:\Windows\SysWOW64\Pabblb32.exe

Filesize
337KB

MD5
6c1c049d3d1c31e886eed83acc744f28

SHA1
418c63945213a469e1e9fd24f7e5f0969a1863de

SHA256
3432d35df2fd4e14a1678f5ce59ef38b8cb502772c00fb6f7c115e6b95a6afe9

SHA512
ff9b260598a1ea09205c1344078ab5479d66cca60ba0b62ce72c8f6c3262c9ede7bc1a451cc90711e8e31f46a30d693d33e205d907fc9d96c94b98e607979d24

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
337KB

MD5
cc9a0c569d588bf2bb3b89560da81370

SHA1
f08f951d290278ff26cc0ad464db43f3bea768db

SHA256
1b7607011cc53e5a3522605d4336b0758d0c4183f55cc5b1580f6c9200836e3d

SHA512
53455978113a3101f46890cd77ba616aa555d73bdf0e509afbd190d94b7d948beb1e01d3d4f8832260269d43995649a8ff59ea29aeb97bedea782cdb36c4faaa

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
192KB

MD5
e293437bac9e99fa5af11516ee6bcf23

SHA1
a73481f5aa9535a8fc82c2e00ad1f0aa67ba250e

SHA256
db5b40cc043f345f227a1095940965d450605c2c126e514420280bc0cc2727ed

SHA512
8a8cf8f6e7dea65c07ab9eaeb72c3581ebc787ab2b8ce494548b13768ca51cee29c960b9b08e0064590459527d1505b018dab8354390e9c4a2da786554c2ef29

Download Submit
C:\Windows\SysWOW64\Qljcoj32.exe

Filesize
337KB

MD5
9fa1dc30e31f73f4ee22cc7ab6f67d11

SHA1
3bbc8d8dc3666a41c8d53358630dc7c1f023b3e3

SHA256
070b15fed5dc0e90af4a5db36ec79a2dab9ef0a0efe2efa1ed5d5eba23f9d216

SHA512
6a32ad2e1c6b0ddc140bc9a62d309a7ef86347fd6d1b98af06f1343cd2940dd0ab12b55fa05e531344a081ac5570d22f1f086b9c502da56a43b80b8c277e85d9

Download Submit
memory/664-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads