e84bb898f6c278c340accbe55367640e4b7b0c7e27e4cf404677fd2af7a4dd98

Analysis

max time kernel
83s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cddcd6c108fc873fb58f1a4d478c838e_JC.exe
Size

430KB
MD5

cddcd6c108fc873fb58f1a4d478c838e
SHA1

4cc8cd98778d775efa0fa516b926d755ce0927b6
SHA256

e84bb898f6c278c340accbe55367640e4b7b0c7e27e4cf404677fd2af7a4dd98
SHA512

ca1919dc0084e26d256365915dd44a481ef9764596ae0c81e3aa409ebe3cdc5db9ab8f1e9c9d7fa0eed72af701a5977aeab7d7f46a0226506f55b166cb110004
SSDEEP

3072:KO+uXzeNwzkXVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsnzj:KVuA8kXRs+HLlD0rN2ZwVht740Psz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckefmai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amdddkma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlcehhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjbopcip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhpaki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcgjie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geqlhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcgjie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpgplej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmgecn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocegnoog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meknhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhadmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkilbni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjipmoai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejbaqgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jknocljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldngqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ininloda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmclgghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgaboa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naaqhlmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldgkiki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klibdcjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caagpdop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpgplej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lldfcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpolahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khpgmqpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobnpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qniogl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnnoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikjmcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjhif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmiaimki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgpilc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anjpeelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbepdfnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbdijpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoaocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jijaef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leenanik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panabc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fachob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaokdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbddmejf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpkfmfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjinpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnmdojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbijinfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekpmljin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lelcbmcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlkejgfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbifobho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flqigq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmicfnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	WerFault.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihapg32.exe

Executes dropped EXE 64 IoCs

pid	Process
4996	Anjpeelk.exe
4904	Bqbohocd.exe
1772	Bjmpfdhb.exe
4616	Cnkilbni.exe
3656	Cigcjj32.exe
2160	Dlhlleeh.exe
3820	Dbdano32.exe
3832	Dbijinfl.exe
3964	Ejglcq32.exe
4376	Eeomfioh.exe
2116	Folkjnbc.exe
3892	Fbqiak32.exe
2660	Gklnem32.exe
1016	Gkqhpmkg.exe
2080	Hleneo32.exe
4972	Iameid32.exe
2000	Ifnkeb32.exe
2136	Jjnqap32.exe
1584	Jhcmbm32.exe
1260	Jhejgl32.exe
1904	Jhhgmlli.exe
4636	Kjipmoai.exe
1452	Kiomnk32.exe
2056	Kkabefqp.exe
1064	Lkflpe32.exe
3356	Ljjicl32.exe
3304	Llmbqdfb.exe
4884	Mcggga32.exe
2204	Mldhacpj.exe
4980	Mpenmadn.exe
3676	Nbefolao.exe
1912	Nlnkgbhp.exe
4100	Nmmgae32.exe
1760	Njahki32.exe
2072	Nifele32.exe
3540	Ojhnlh32.exe
3756	Odqbdnod.exe
3972	Ojmgggdo.exe
4964	Obhlkjaj.exe
2904	Olqqdo32.exe
3052	Ppoijn32.exe
1972	Pgknlg32.exe
3876	Pljcjn32.exe
3088	Pkkdhe32.exe
4056	Qdfefkll.exe
3296	Anqfepaj.exe
4708	Admkgifd.exe
572	Bdfnmhnj.exe
2508	Bldogjib.exe
4408	Bnclamqe.exe
3308	Bkglkapo.exe
4068	Cgnmpbec.exe
3640	Cklffq32.exe
2780	Ccigpbga.exe
652	Ccldebeo.exe
4704	Ddkpoelb.exe
1740	Djhiglji.exe
3908	Dccjfaog.exe
1192	Dqgjoenq.exe
1432	Dedceddg.exe
4820	Eakdje32.exe
4200	Enoddi32.exe
3256	Eljknl32.exe
2752	Fcepbooa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Locnlmoe.exe	Loaafnah.exe
File opened for modification	C:\Windows\SysWOW64\Amibqhed.exe	Aohbbqme.exe
File created	C:\Windows\SysWOW64\Hfpjlgdl.dll	Hbldkllm.exe
File opened for modification	C:\Windows\SysWOW64\Meknhh32.exe	Mnpice32.exe
File opened for modification	C:\Windows\SysWOW64\Lefdld32.exe	Lpilcnoo.exe
File created	C:\Windows\SysWOW64\Mhppcn32.exe	Lfjjqg32.exe
File created	C:\Windows\SysWOW64\Nampdmmc.dll	Midfiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddkpoelb.exe	Ccldebeo.exe
File created	C:\Windows\SysWOW64\Kbhedopp.dll	Noeaaqlq.exe
File created	C:\Windows\SysWOW64\Occnjp32.dll	Ekmhnpfl.exe
File created	C:\Windows\SysWOW64\Kkechjib.exe	Kqpoja32.exe
File created	C:\Windows\SysWOW64\Kdeghfhj.exe	Klibdcjo.exe
File created	C:\Windows\SysWOW64\Jqpfccgo.exe	Ikcmklih.exe
File created	C:\Windows\SysWOW64\Gimmkk32.dll	Knhbflbp.exe
File created	C:\Windows\SysWOW64\Ainpoqfj.dll	Jmnheggo.exe
File opened for modification	C:\Windows\SysWOW64\Ininloda.exe	Hfmigmgf.exe
File created	C:\Windows\SysWOW64\Hafdah32.dll	Bjgghc32.exe
File opened for modification	C:\Windows\SysWOW64\Klibdcjo.exe	Knhbflbp.exe
File created	C:\Windows\SysWOW64\Ccpkblqn.exe	Cikgecag.exe
File created	C:\Windows\SysWOW64\Olbdacbp.exe	Oampdkbj.exe
File opened for modification	C:\Windows\SysWOW64\Iameid32.exe	Hleneo32.exe
File created	C:\Windows\SysWOW64\Dgnolj32.exe	Dfnbbg32.exe
File created	C:\Windows\SysWOW64\Jdfcla32.exe	Jknocljn.exe
File opened for modification	C:\Windows\SysWOW64\Ldpoinjq.exe	Lkenkhec.exe
File opened for modification	C:\Windows\SysWOW64\Nkhdgfen.exe	Mqbpjmeg.exe
File created	C:\Windows\SysWOW64\Flnlaahl.exe	Fllplajo.exe
File opened for modification	C:\Windows\SysWOW64\Aaflag32.exe	Aljcip32.exe
File created	C:\Windows\SysWOW64\Imabnofj.exe	Imofip32.exe
File created	C:\Windows\SysWOW64\Banmdk32.dll	Pkkdhe32.exe
File created	C:\Windows\SysWOW64\Egleni32.dll	Loaafnah.exe
File created	C:\Windows\SysWOW64\Cgndikgd.exe	Ccpkblqn.exe
File created	C:\Windows\SysWOW64\Pkkdhe32.exe	Pljcjn32.exe
File created	C:\Windows\SysWOW64\Oihapg32.exe	Okgabpgg.exe
File created	C:\Windows\SysWOW64\Bmmljbhc.dll	Cclagm32.exe
File created	C:\Windows\SysWOW64\Omkmhlpf.exe	Olkqnjhd.exe
File opened for modification	C:\Windows\SysWOW64\Afinbdon.exe	Alnmdojp.exe
File created	C:\Windows\SysWOW64\Accfahjf.dll	Jnalem32.exe
File created	C:\Windows\SysWOW64\Dnjgnq32.dll	Anjngp32.exe
File opened for modification	C:\Windows\SysWOW64\Jecejm32.exe	Jpgmaf32.exe
File created	C:\Windows\SysWOW64\Bjhkaf32.dll	Klibdcjo.exe
File opened for modification	C:\Windows\SysWOW64\Lqfpoope.exe	Lkjhfh32.exe
File created	C:\Windows\SysWOW64\Gmohojgf.dll	Bbljoh32.exe
File opened for modification	C:\Windows\SysWOW64\Eidbbp32.exe	Eplnijdj.exe
File created	C:\Windows\SysWOW64\Beiopegj.dll	Jndhkmfe.exe
File opened for modification	C:\Windows\SysWOW64\Lkflpe32.exe	Kkabefqp.exe
File created	C:\Windows\SysWOW64\Peddpjeb.dll	Bccfleqi.exe
File opened for modification	C:\Windows\SysWOW64\Bmngjj32.exe	Bnhjinpo.exe
File created	C:\Windows\SysWOW64\Kjdjhgdb.exe	Kdgapp32.exe
File created	C:\Windows\SysWOW64\Kqnbea32.exe	Kjdjhgdb.exe
File created	C:\Windows\SysWOW64\Aohbbqme.exe	Aepmjk32.exe
File opened for modification	C:\Windows\SysWOW64\Eeomfioh.exe	Ejglcq32.exe
File created	C:\Windows\SysWOW64\Oiihkncb.exe	Ofqnlplf.exe
File created	C:\Windows\SysWOW64\Mokbiohj.dll	Bcfkiock.exe
File opened for modification	C:\Windows\SysWOW64\Foebmn32.exe	Fdpnpe32.exe
File created	C:\Windows\SysWOW64\Dakampio.exe	Dplebmbl.exe
File opened for modification	C:\Windows\SysWOW64\Mnknkbdk.exe	Magnbnea.exe
File created	C:\Windows\SysWOW64\Okgabpgg.exe	Oifekg32.exe
File created	C:\Windows\SysWOW64\Mhaofb32.dll	Ddkpoelb.exe
File created	C:\Windows\SysWOW64\Fdlcehhn.exe	Edjgpi32.exe
File created	C:\Windows\SysWOW64\Enhoch32.dll	Fhjlkg32.exe
File created	C:\Windows\SysWOW64\Fqjolfda.exe	Ffekom32.exe
File created	C:\Windows\SysWOW64\Cfqpno32.dll	Ghiogkfp.exe
File opened for modification	C:\Windows\SysWOW64\Naaqhlmg.exe	Nldhpeop.exe
File created	C:\Windows\SysWOW64\Ncbcjefh.dll	Nahgik32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9868	5632	WerFault.exe	987

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghoohma.dll"	Piepnfnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbdqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afinbdon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbedag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfnl32.dll"	Odqbdnod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjffngap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljaael.dll"	Fgpilc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankaglme.dll"	Kdgapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nldhpeop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbaffid.dll"	Fkflbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inmplh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnbbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagojbeb.dll"	Jilnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhoolef.dll"	usoclient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejbaqgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpnmb32.dll"	Hoibmmpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgpilc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikcmklih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jndhkmfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkangg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oecnmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldphjaof.dll"	Khpgmqpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nojagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nahgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdmk32.dll"	Lkmkfncf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmjojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcgjie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhga32.dll"	Meknhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dakampio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idpbhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acaopjgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iejlih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbijinfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbdijpjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igggjgoe.dll"	Bbemdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajblmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meknhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhadmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhjegh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkbkna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkabefqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmapb32.dll"	Dccjfaog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgqpaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gadqepkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplnijdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlkejgfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnalem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbqdb32.dll"	Ldiiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpekndfg.dll"	Kppimogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jknocljn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anjpeelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecjhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbekbimh.dll"	Emaemefo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbccg32.dll"	Bkgekock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjbbemd.dll"	Oiakpheo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obbekn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpqaejjo.dll"	Kqnbea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnhgidka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhpeelnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Panabc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4996	1708	cddcd6c108fc873fb58f1a4d478c838e_JC.exe	81
PID 1708 wrote to memory of 4996	1708	cddcd6c108fc873fb58f1a4d478c838e_JC.exe	81
PID 1708 wrote to memory of 4996	1708	cddcd6c108fc873fb58f1a4d478c838e_JC.exe	81
PID 4996 wrote to memory of 4904	4996	Anjpeelk.exe	82
PID 4996 wrote to memory of 4904	4996	Anjpeelk.exe	82
PID 4996 wrote to memory of 4904	4996	Anjpeelk.exe	82
PID 4904 wrote to memory of 1772	4904	Bqbohocd.exe	83
PID 4904 wrote to memory of 1772	4904	Bqbohocd.exe	83
PID 4904 wrote to memory of 1772	4904	Bqbohocd.exe	83
PID 1772 wrote to memory of 4616	1772	Bjmpfdhb.exe	84
PID 1772 wrote to memory of 4616	1772	Bjmpfdhb.exe	84
PID 1772 wrote to memory of 4616	1772	Bjmpfdhb.exe	84
PID 4616 wrote to memory of 3656	4616	Cnkilbni.exe	85
PID 4616 wrote to memory of 3656	4616	Cnkilbni.exe	85
PID 4616 wrote to memory of 3656	4616	Cnkilbni.exe	85
PID 3656 wrote to memory of 2160	3656	Cigcjj32.exe	86
PID 3656 wrote to memory of 2160	3656	Cigcjj32.exe	86
PID 3656 wrote to memory of 2160	3656	Cigcjj32.exe	86
PID 2160 wrote to memory of 3820	2160	Dlhlleeh.exe	87
PID 2160 wrote to memory of 3820	2160	Dlhlleeh.exe	87
PID 2160 wrote to memory of 3820	2160	Dlhlleeh.exe	87
PID 3820 wrote to memory of 3832	3820	Dbdano32.exe	88
PID 3820 wrote to memory of 3832	3820	Dbdano32.exe	88
PID 3820 wrote to memory of 3832	3820	Dbdano32.exe	88
PID 3832 wrote to memory of 3964	3832	Dbijinfl.exe	89
PID 3832 wrote to memory of 3964	3832	Dbijinfl.exe	89
PID 3832 wrote to memory of 3964	3832	Dbijinfl.exe	89
PID 3964 wrote to memory of 4376	3964	Ejglcq32.exe	90
PID 3964 wrote to memory of 4376	3964	Ejglcq32.exe	90
PID 3964 wrote to memory of 4376	3964	Ejglcq32.exe	90
PID 4376 wrote to memory of 2116	4376	Eeomfioh.exe	91
PID 4376 wrote to memory of 2116	4376	Eeomfioh.exe	91
PID 4376 wrote to memory of 2116	4376	Eeomfioh.exe	91
PID 2116 wrote to memory of 3892	2116	Folkjnbc.exe	92
PID 2116 wrote to memory of 3892	2116	Folkjnbc.exe	92
PID 2116 wrote to memory of 3892	2116	Folkjnbc.exe	92
PID 3892 wrote to memory of 2660	3892	Fbqiak32.exe	93
PID 3892 wrote to memory of 2660	3892	Fbqiak32.exe	93
PID 3892 wrote to memory of 2660	3892	Fbqiak32.exe	93
PID 2660 wrote to memory of 1016	2660	Gklnem32.exe	94
PID 2660 wrote to memory of 1016	2660	Gklnem32.exe	94
PID 2660 wrote to memory of 1016	2660	Gklnem32.exe	94
PID 1016 wrote to memory of 2080	1016	Gkqhpmkg.exe	95
PID 1016 wrote to memory of 2080	1016	Gkqhpmkg.exe	95
PID 1016 wrote to memory of 2080	1016	Gkqhpmkg.exe	95
PID 2080 wrote to memory of 4972	2080	Hleneo32.exe	96
PID 2080 wrote to memory of 4972	2080	Hleneo32.exe	96
PID 2080 wrote to memory of 4972	2080	Hleneo32.exe	96
PID 4972 wrote to memory of 2000	4972	Iameid32.exe	97
PID 4972 wrote to memory of 2000	4972	Iameid32.exe	97
PID 4972 wrote to memory of 2000	4972	Iameid32.exe	97
PID 2000 wrote to memory of 2136	2000	Ifnkeb32.exe	98
PID 2000 wrote to memory of 2136	2000	Ifnkeb32.exe	98
PID 2000 wrote to memory of 2136	2000	Ifnkeb32.exe	98
PID 2136 wrote to memory of 1584	2136	Jjnqap32.exe	99
PID 2136 wrote to memory of 1584	2136	Jjnqap32.exe	99
PID 2136 wrote to memory of 1584	2136	Jjnqap32.exe	99
PID 1584 wrote to memory of 1260	1584	Jhcmbm32.exe	100
PID 1584 wrote to memory of 1260	1584	Jhcmbm32.exe	100
PID 1584 wrote to memory of 1260	1584	Jhcmbm32.exe	100
PID 1260 wrote to memory of 1904	1260	Jhejgl32.exe	101
PID 1260 wrote to memory of 1904	1260	Jhejgl32.exe	101
PID 1260 wrote to memory of 1904	1260	Jhejgl32.exe	101
PID 1904 wrote to memory of 4636	1904	Jhhgmlli.exe	102

C:\Users\Admin\AppData\Local\Temp\cddcd6c108fc873fb58f1a4d478c838e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cddcd6c108fc873fb58f1a4d478c838e_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Anjpeelk.exe
  C:\Windows\system32\Anjpeelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\Bqbohocd.exe
    C:\Windows\system32\Bqbohocd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\Bjmpfdhb.exe
      C:\Windows\system32\Bjmpfdhb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Folkjnbc.exe
        
        C:\Windows\system32\Folkjnbc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Fbqiak32.exe
        
        C:\Windows\system32\Fbqiak32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Gklnem32.exe
        
        C:\Windows\system32\Gklnem32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Gkqhpmkg.exe
        
        C:\Windows\system32\Gkqhpmkg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Hleneo32.exe
        
        C:\Windows\system32\Hleneo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Iameid32.exe
        
        C:\Windows\system32\Iameid32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ifnkeb32.exe
        
        C:\Windows\system32\Ifnkeb32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Jjnqap32.exe
        
        C:\Windows\system32\Jjnqap32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Jhcmbm32.exe
        
        C:\Windows\system32\Jhcmbm32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Jhejgl32.exe
        
        C:\Windows\system32\Jhejgl32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Jhhgmlli.exe
        
        C:\Windows\system32\Jhhgmlli.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Kjipmoai.exe
        
        C:\Windows\system32\Kjipmoai.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Kiomnk32.exe
        
        C:\Windows\system32\Kiomnk32.exe
        24⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Kkabefqp.exe
        
        C:\Windows\system32\Kkabefqp.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Ljjicl32.exe
        
        C:\Windows\system32\Ljjicl32.exe
        27⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Llmbqdfb.exe
        
        C:\Windows\system32\Llmbqdfb.exe
        28⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Mcggga32.exe
        
        C:\Windows\system32\Mcggga32.exe
        29⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Mldhacpj.exe
        
        C:\Windows\system32\Mldhacpj.exe
        30⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Mpenmadn.exe
        
        C:\Windows\system32\Mpenmadn.exe
        31⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        32⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Nlnkgbhp.exe
        
        C:\Windows\system32\Nlnkgbhp.exe
        33⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Nmmgae32.exe
        
        C:\Windows\system32\Nmmgae32.exe
        34⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Njahki32.exe
        
        C:\Windows\system32\Njahki32.exe
        35⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Nifele32.exe
        
        C:\Windows\system32\Nifele32.exe
        36⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ojhnlh32.exe
        
        C:\Windows\system32\Ojhnlh32.exe
        37⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Odqbdnod.exe
        
        C:\Windows\system32\Odqbdnod.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Ojmgggdo.exe
        
        C:\Windows\system32\Ojmgggdo.exe
        39⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Obhlkjaj.exe
        
        C:\Windows\system32\Obhlkjaj.exe
        40⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Olqqdo32.exe
        
        C:\Windows\system32\Olqqdo32.exe
        41⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        42⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Pgknlg32.exe
        
        C:\Windows\system32\Pgknlg32.exe
        43⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Pljcjn32.exe
        
        C:\Windows\system32\Pljcjn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Pkkdhe32.exe
        
        C:\Windows\system32\Pkkdhe32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Qdfefkll.exe
        
        C:\Windows\system32\Qdfefkll.exe
        46⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Anqfepaj.exe
        
        C:\Windows\system32\Anqfepaj.exe
        47⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Admkgifd.exe
        
        C:\Windows\system32\Admkgifd.exe
        48⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Bdfnmhnj.exe
        
        C:\Windows\system32\Bdfnmhnj.exe
        49⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Bldogjib.exe
        
        C:\Windows\system32\Bldogjib.exe
        50⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Bnclamqe.exe
        
        C:\Windows\system32\Bnclamqe.exe
        51⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Bkglkapo.exe
        
        C:\Windows\system32\Bkglkapo.exe
        52⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Cgnmpbec.exe
        
        C:\Windows\system32\Cgnmpbec.exe
        53⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Cklffq32.exe
        
        C:\Windows\system32\Cklffq32.exe
        54⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Ccigpbga.exe
        
        C:\Windows\system32\Ccigpbga.exe
        55⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Ccldebeo.exe
        
        C:\Windows\system32\Ccldebeo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Ddkpoelb.exe
        
        C:\Windows\system32\Ddkpoelb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Djhiglji.exe
        
        C:\Windows\system32\Djhiglji.exe
        58⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Dccjfaog.exe
        
        C:\Windows\system32\Dccjfaog.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Dqgjoenq.exe
        
        C:\Windows\system32\Dqgjoenq.exe
        60⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Dedceddg.exe
        
        C:\Windows\system32\Dedceddg.exe
        61⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Eakdje32.exe
        
        C:\Windows\system32\Eakdje32.exe
        62⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Enoddi32.exe
        
        C:\Windows\system32\Enoddi32.exe
        63⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Eljknl32.exe
        
        C:\Windows\system32\Eljknl32.exe
        64⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Fcepbooa.exe
        
        C:\Windows\system32\Fcepbooa.exe
        65⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Fnmqegle.exe
        
        C:\Windows\system32\Fnmqegle.exe
        66⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Fjdajhbi.exe
        
        C:\Windows\system32\Fjdajhbi.exe
        67⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Flfjjkgi.exe
        
        C:\Windows\system32\Flfjjkgi.exe
        68⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Geqlhp32.exe
        
        C:\Windows\system32\Geqlhp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Gdfhil32.exe
        
        C:\Windows\system32\Gdfhil32.exe
        70⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Ghfnej32.exe
        
        C:\Windows\system32\Ghfnej32.exe
        71⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Hldgkiki.exe
        
        C:\Windows\system32\Hldgkiki.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4672
        
        C:\Windows\SysWOW64\Hmhphqoe.exe
        
        C:\Windows\system32\Hmhphqoe.exe
        73⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Hhpaki32.exe
        
        C:\Windows\system32\Hhpaki32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1364
        
        C:\Windows\SysWOW64\Hoiihcde.exe
        
        C:\Windows\system32\Hoiihcde.exe
        75⤵
        
        PID:180
        
        C:\Windows\SysWOW64\Imofip32.exe
        
        C:\Windows\system32\Imofip32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        77⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Ilbclg32.exe
        
        C:\Windows\system32\Ilbclg32.exe
        78⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Iaokdn32.exe
        
        C:\Windows\system32\Iaokdn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Ikgpmc32.exe
        
        C:\Windows\system32\Ikgpmc32.exe
        80⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Ikjmcc32.exe
        
        C:\Windows\system32\Ikjmcc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        82⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Jakkplbc.exe
        
        C:\Windows\system32\Jakkplbc.exe
        83⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Jnalem32.exe
        
        C:\Windows\system32\Jnalem32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Jndhkmfe.exe
        
        C:\Windows\system32\Jndhkmfe.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Kleiid32.exe
        
        C:\Windows\system32\Kleiid32.exe
        86⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Kbceoped.exe
        
        C:\Windows\system32\Kbceoped.exe
        79⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Kmijliej.exe
        
        C:\Windows\system32\Kmijliej.exe
        80⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Kfanen32.exe
        
        C:\Windows\system32\Kfanen32.exe
        81⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Lpjcnd32.exe
        
        C:\Windows\system32\Lpjcnd32.exe
        82⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Lefkfk32.exe
        
        C:\Windows\system32\Lefkfk32.exe
        83⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Lplpcc32.exe
        
        C:\Windows\system32\Lplpcc32.exe
        84⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Leihlj32.exe
        
        C:\Windows\system32\Leihlj32.exe
        85⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Lfhdem32.exe
        
        C:\Windows\system32\Lfhdem32.exe
        86⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Llemnd32.exe
        
        C:\Windows\system32\Llemnd32.exe
        87⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Ldoadabi.exe
        
        C:\Windows\system32\Ldoadabi.exe
        88⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Mmgfmg32.exe
        
        C:\Windows\system32\Mmgfmg32.exe
        89⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Mdanjaqf.exe
        
        C:\Windows\system32\Mdanjaqf.exe
        90⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Mingbhon.exe
        
        C:\Windows\system32\Mingbhon.exe
        91⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Mdckpqod.exe
        
        C:\Windows\system32\Mdckpqod.exe
        92⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Mmlphfed.exe
        
        C:\Windows\system32\Mmlphfed.exe
        93⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Jcefgeif.exe
        
        C:\Windows\system32\Jcefgeif.exe
        37⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Jianpl32.exe
        
        C:\Windows\system32\Jianpl32.exe
        38⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Jpkfmfok.exe
        
        C:\Windows\system32\Jpkfmfok.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4072
        
        C:\Windows\SysWOW64\Jidkek32.exe
        
        C:\Windows\system32\Jidkek32.exe
        40⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Kpncbemh.exe
        
        C:\Windows\system32\Kpncbemh.exe
        41⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Kppphe32.exe
        
        C:\Windows\system32\Kppphe32.exe
        42⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Kpbmme32.exe
        
        C:\Windows\system32\Kpbmme32.exe
        43⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Kfmejopp.exe
        
        C:\Windows\system32\Kfmejopp.exe
        44⤵
        
        PID:1716

C:\Windows\SysWOW64\Kdpmmf32.exe
C:\Windows\system32\Kdpmmf32.exe
1⤵
PID:1776
- C:\Windows\SysWOW64\Knhbflbp.exe
  C:\Windows\system32\Knhbflbp.exe
  2⤵
  - Drops file in System32 directory
  PID:2604
- - C:\Windows\SysWOW64\Klibdcjo.exe
    C:\Windows\system32\Klibdcjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:4632
  - - C:\Windows\SysWOW64\Kdeghfhj.exe
      C:\Windows\system32\Kdeghfhj.exe
      4⤵
      PID:640
    - - C:\Windows\SysWOW64\Kojkeogp.exe
        
        C:\Windows\system32\Kojkeogp.exe
        5⤵
        
        PID:4452
      - C:\Windows\SysWOW64\Kdgcne32.exe
        
        C:\Windows\system32\Kdgcne32.exe
        6⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Kbkdgj32.exe
        
        C:\Windows\system32\Kbkdgj32.exe
        7⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Lkchpoka.exe
        
        C:\Windows\system32\Lkchpoka.exe
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Ldlmieaa.exe
        
        C:\Windows\system32\Ldlmieaa.exe
        9⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Loaafnah.exe
        
        C:\Windows\system32\Loaafnah.exe
        10⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Locnlmoe.exe
        
        C:\Windows\system32\Locnlmoe.exe
        11⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Lmhnea32.exe
        
        C:\Windows\system32\Lmhnea32.exe
        12⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Lkmkfncf.exe
        
        C:\Windows\system32\Lkmkfncf.exe
        13⤵
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Momqblgj.exe
        
        C:\Windows\system32\Momqblgj.exe
        14⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Mmaakpfd.exe
        
        C:\Windows\system32\Mmaakpfd.exe
        15⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Mihbpalh.exe
        
        C:\Windows\system32\Mihbpalh.exe
        16⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Mijofaje.exe
        
        C:\Windows\system32\Mijofaje.exe
        17⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Nfnooe32.exe
        
        C:\Windows\system32\Nfnooe32.exe
        18⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Nbepdfnc.exe
        
        C:\Windows\system32\Nbepdfnc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Npipnjmm.exe
        
        C:\Windows\system32\Npipnjmm.exe
        20⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Nicalpak.exe
        
        C:\Windows\system32\Nicalpak.exe
        21⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Nejbaqgo.exe
        
        C:\Windows\system32\Nejbaqgo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Nppfnige.exe
        
        C:\Windows\system32\Nppfnige.exe
        23⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ofjokc32.exe
        
        C:\Windows\system32\Ofjokc32.exe
        24⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        25⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Omkmhlpf.exe
        
        C:\Windows\system32\Omkmhlpf.exe
        26⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Obgeqcnn.exe
        
        C:\Windows\system32\Obgeqcnn.exe
        27⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Ponfed32.exe
        
        C:\Windows\system32\Ponfed32.exe
        28⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Poqckdap.exe
        
        C:\Windows\system32\Poqckdap.exe
        29⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pmbcik32.exe
        
        C:\Windows\system32\Pmbcik32.exe
        30⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ppblkffp.exe
        
        C:\Windows\system32\Ppblkffp.exe
        31⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Pbcelacq.exe
        
        C:\Windows\system32\Pbcelacq.exe
        32⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Pmiijjcf.exe
        
        C:\Windows\system32\Pmiijjcf.exe
        33⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Qefkcl32.exe
        
        C:\Windows\system32\Qefkcl32.exe
        34⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Aoalba32.exe
        
        C:\Windows\system32\Aoalba32.exe
        35⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Aochga32.exe
        
        C:\Windows\system32\Aochga32.exe
        36⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Aofemaog.exe
        
        C:\Windows\system32\Aofemaog.exe
        37⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Aepmjk32.exe
        
        C:\Windows\system32\Aepmjk32.exe
        38⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Aohbbqme.exe
        
        C:\Windows\system32\Aohbbqme.exe
        39⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Amibqhed.exe
        
        C:\Windows\system32\Amibqhed.exe
        40⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Bcfkiock.exe
        
        C:\Windows\system32\Bcfkiock.exe
        41⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Beippj32.exe
        
        C:\Windows\system32\Beippj32.exe
        42⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Bekmei32.exe
        
        C:\Windows\system32\Bekmei32.exe
        43⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Bpaacblm.exe
        
        C:\Windows\system32\Bpaacblm.exe
        44⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Cgmfel32.exe
        
        C:\Windows\system32\Cgmfel32.exe
        45⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Cphgca32.exe
        
        C:\Windows\system32\Cphgca32.exe
        46⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Cjpllgme.exe
        
        C:\Windows\system32\Cjpllgme.exe
        47⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Claenb32.exe
        
        C:\Windows\system32\Claenb32.exe
        48⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        49⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Dobnpm32.exe
        
        C:\Windows\system32\Dobnpm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        51⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Dfnbbg32.exe
        
        C:\Windows\system32\Dfnbbg32.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dgnolj32.exe
        
        C:\Windows\system32\Dgnolj32.exe
        53⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Dnhgidka.exe
        
        C:\Windows\system32\Dnhgidka.exe
        54⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dfclmfhl.exe
        
        C:\Windows\system32\Dfclmfhl.exe
        55⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Eqkmpo32.exe
        
        C:\Windows\system32\Eqkmpo32.exe
        56⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Emanepld.exe
        
        C:\Windows\system32\Emanepld.exe
        57⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Eqdpfm32.exe
        
        C:\Windows\system32\Eqdpfm32.exe
        58⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Fceihh32.exe
        
        C:\Windows\system32\Fceihh32.exe
        59⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        60⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Fcibchgq.exe
        
        C:\Windows\system32\Fcibchgq.exe
        61⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Fggkifmg.exe
        
        C:\Windows\system32\Fggkifmg.exe
        62⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Gpelchhp.exe
        
        C:\Windows\system32\Gpelchhp.exe
        63⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Gcceifof.exe
        
        C:\Windows\system32\Gcceifof.exe
        64⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Gmkibl32.exe
        
        C:\Windows\system32\Gmkibl32.exe
        65⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Hfhgfaha.exe
        
        C:\Windows\system32\Hfhgfaha.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Hpqlof32.exe
        
        C:\Windows\system32\Hpqlof32.exe
        67⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Hmdlhk32.exe
        
        C:\Windows\system32\Hmdlhk32.exe
        68⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Hjkigojc.exe
        
        C:\Windows\system32\Hjkigojc.exe
        69⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Hoibmmpi.exe
        
        C:\Windows\system32\Hoibmmpi.exe
        70⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ijpcbn32.exe
        
        C:\Windows\system32\Ijpcbn32.exe
        71⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Iplkje32.exe
        
        C:\Windows\system32\Iplkje32.exe
        72⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Iandjg32.exe
        
        C:\Windows\system32\Iandjg32.exe
        73⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ikgicmpe.exe
        
        C:\Windows\system32\Ikgicmpe.exe
        74⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ipcakd32.exe
        
        C:\Windows\system32\Ipcakd32.exe
        75⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Jhmfba32.exe
        
        C:\Windows\system32\Jhmfba32.exe
        76⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Jmjojh32.exe
        
        C:\Windows\system32\Jmjojh32.exe
        77⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Jknocljn.exe
        
        C:\Windows\system32\Jknocljn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Jdfcla32.exe
        
        C:\Windows\system32\Jdfcla32.exe
        79⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Jmnheggo.exe
        
        C:\Windows\system32\Jmnheggo.exe
        80⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Jhdlbp32.exe
        
        C:\Windows\system32\Jhdlbp32.exe
        81⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Jdkmgali.exe
        
        C:\Windows\system32\Jdkmgali.exe
        82⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Jncapf32.exe
        
        C:\Windows\system32\Jncapf32.exe
        83⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Kgkfil32.exe
        
        C:\Windows\system32\Kgkfil32.exe
        84⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Kdpfbp32.exe
        
        C:\Windows\system32\Kdpfbp32.exe
        85⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Knhkkfod.exe
        
        C:\Windows\system32\Knhkkfod.exe
        86⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Kklkej32.exe
        
        C:\Windows\system32\Kklkej32.exe
        87⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Khplnn32.exe
        
        C:\Windows\system32\Khplnn32.exe
        88⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Kgeiokao.exe
        
        C:\Windows\system32\Kgeiokao.exe
        89⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Ldiiio32.exe
        
        C:\Windows\system32\Ldiiio32.exe
        90⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Lkenkhec.exe
        
        C:\Windows\system32\Lkenkhec.exe
        91⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Ldpoinjq.exe
        
        C:\Windows\system32\Ldpoinjq.exe
        92⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Lkjhfh32.exe
        
        C:\Windows\system32\Lkjhfh32.exe
        93⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Lqfpoope.exe
        
        C:\Windows\system32\Lqfpoope.exe
        94⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Lkldlgok.exe
        
        C:\Windows\system32\Lkldlgok.exe
        95⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Mhpeelnd.exe
        
        C:\Windows\system32\Mhpeelnd.exe
        96⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Mojmbf32.exe
        
        C:\Windows\system32\Mojmbf32.exe
        97⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Mkangg32.exe
        
        C:\Windows\system32\Mkangg32.exe
        98⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Mbkfcabb.exe
        
        C:\Windows\system32\Mbkfcabb.exe
        99⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Moofmeal.exe
        
        C:\Windows\system32\Moofmeal.exe
        100⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Mhgkfkhl.exe
        
        C:\Windows\system32\Mhgkfkhl.exe
        101⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Mqbpjmeg.exe
        
        C:\Windows\system32\Mqbpjmeg.exe
        102⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Nkhdgfen.exe
        
        C:\Windows\system32\Nkhdgfen.exe
        103⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Nildajdg.exe
        
        C:\Windows\system32\Nildajdg.exe
        104⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Nbdijpjh.exe
        
        C:\Windows\system32\Nbdijpjh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Nohicdia.exe
        
        C:\Windows\system32\Nohicdia.exe
        106⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Neebkkgi.exe
        
        C:\Windows\system32\Neebkkgi.exe
        107⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Nnmfdpni.exe
        
        C:\Windows\system32\Nnmfdpni.exe
        108⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Ngekmf32.exe
        
        C:\Windows\system32\Ngekmf32.exe
        109⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Nbkojo32.exe
        
        C:\Windows\system32\Nbkojo32.exe
        110⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Ooalibaf.exe
        
        C:\Windows\system32\Ooalibaf.exe
        111⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Oijqbh32.exe
        
        C:\Windows\system32\Oijqbh32.exe
        112⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Obbekn32.exe
        
        C:\Windows\system32\Obbekn32.exe
        113⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Oecnmi32.exe
        
        C:\Windows\system32\Oecnmi32.exe
        114⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Oajoaj32.exe
        
        C:\Windows\system32\Oajoaj32.exe
        115⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Pbiklmhp.exe
        
        C:\Windows\system32\Pbiklmhp.exe
        116⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        117⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Pnbifmla.exe
        
        C:\Windows\system32\Pnbifmla.exe
        118⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Pacahhib.exe
        
        C:\Windows\system32\Pacahhib.exe
        119⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Pbbnbkpe.exe
        
        C:\Windows\system32\Pbbnbkpe.exe
        120⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Qniogl32.exe
        
        C:\Windows\system32\Qniogl32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Qpikao32.exe
        
        C:\Windows\system32\Qpikao32.exe
        122⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Alplfpbp.exe
        
        C:\Windows\system32\Alplfpbp.exe
        123⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Aaldngqg.exe
        
        C:\Windows\system32\Aaldngqg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Aejmdegn.exe
        
        C:\Windows\system32\Aejmdegn.exe
        125⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Abnnnjfh.exe
        
        C:\Windows\system32\Abnnnjfh.exe
        126⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Bhblfpng.exe
        
        C:\Windows\system32\Bhblfpng.exe
        127⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Bbljoh32.exe
        
        C:\Windows\system32\Bbljoh32.exe
        128⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Bifblbad.exe
        
        C:\Windows\system32\Bifblbad.exe
        129⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Caagpdop.exe
        
        C:\Windows\system32\Caagpdop.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Cimhlakl.exe
        
        C:\Windows\system32\Cimhlakl.exe
        131⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Dekobaki.exe
        
        C:\Windows\system32\Dekobaki.exe
        132⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Dadlmanj.exe
        
        C:\Windows\system32\Dadlmanj.exe
        133⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Dohmff32.exe
        
        C:\Windows\system32\Dohmff32.exe
        134⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Dphipidf.exe
        
        C:\Windows\system32\Dphipidf.exe
        135⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Efdbhpbn.exe
        
        C:\Windows\system32\Efdbhpbn.exe
        136⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Ehlakjig.exe
        
        C:\Windows\system32\Ehlakjig.exe
        137⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Fjlmdmqj.exe
        
        C:\Windows\system32\Fjlmdmqj.exe
        138⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Fqfeag32.exe
        
        C:\Windows\system32\Fqfeag32.exe
        139⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Fjnjjlog.exe
        
        C:\Windows\system32\Fjnjjlog.exe
        140⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Fokbbcmo.exe
        
        C:\Windows\system32\Fokbbcmo.exe
        141⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Ffekom32.exe
        
        C:\Windows\system32\Ffekom32.exe
        142⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Fqjolfda.exe
        
        C:\Windows\system32\Fqjolfda.exe
        143⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Fifdqhal.exe
        
        C:\Windows\system32\Fifdqhal.exe
        144⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Fbnhjn32.exe
        
        C:\Windows\system32\Fbnhjn32.exe
        145⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Gmclgghc.exe
        
        C:\Windows\system32\Gmclgghc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Gflapl32.exe
        
        C:\Windows\system32\Gflapl32.exe
        147⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Gmfilfep.exe
        
        C:\Windows\system32\Gmfilfep.exe
        148⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Gfnnel32.exe
        
        C:\Windows\system32\Gfnnel32.exe
        149⤵
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Gbenjm32.exe
        
        C:\Windows\system32\Gbenjm32.exe
        150⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Gbgkpm32.exe
        
        C:\Windows\system32\Gbgkpm32.exe
        151⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Gcggjp32.exe
        
        C:\Windows\system32\Gcggjp32.exe
        152⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Hbldkllm.exe
        
        C:\Windows\system32\Hbldkllm.exe
        153⤵
        Drops file in System32 directory
        
        PID:7364
        
        C:\Windows\SysWOW64\Hppedpkf.exe
        
        C:\Windows\system32\Hppedpkf.exe
        154⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Hfljfjpq.exe
        
        C:\Windows\system32\Hfljfjpq.exe
        155⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Habndbpf.exe
        
        C:\Windows\system32\Habndbpf.exe
        156⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Iippne32.exe
        
        C:\Windows\system32\Iippne32.exe
        157⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Iaiddajo.exe
        
        C:\Windows\system32\Iaiddajo.exe
        158⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Iffmmihf.exe
        
        C:\Windows\system32\Iffmmihf.exe
        159⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Idjmfmgp.exe
        
        C:\Windows\system32\Idjmfmgp.exe
        160⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Idljll32.exe
        
        C:\Windows\system32\Idljll32.exe
        161⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        162⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Jmgkja32.exe
        
        C:\Windows\system32\Jmgkja32.exe
        163⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Jmihpa32.exe
        
        C:\Windows\system32\Jmihpa32.exe
        164⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Kdlcbjfj.exe
        
        C:\Windows\system32\Kdlcbjfj.exe
        165⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Kdophj32.exe
        
        C:\Windows\system32\Kdophj32.exe
        166⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Kmgdaokh.exe
        
        C:\Windows\system32\Kmgdaokh.exe
        167⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Kmlmlo32.exe
        
        C:\Windows\system32\Kmlmlo32.exe
        168⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Ldjodh32.exe
        
        C:\Windows\system32\Ldjodh32.exe
        169⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Lnccmnak.exe
        
        C:\Windows\system32\Lnccmnak.exe
        170⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Ljlagndl.exe
        
        C:\Windows\system32\Ljlagndl.exe
        171⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Mgbnfb32.exe
        
        C:\Windows\system32\Mgbnfb32.exe
        172⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Mdfopf32.exe
        
        C:\Windows\system32\Mdfopf32.exe
        173⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ncpelbap.exe
        
        C:\Windows\system32\Ncpelbap.exe
        174⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Nklfho32.exe
        
        C:\Windows\system32\Nklfho32.exe
        175⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Nddkaddm.exe
        
        C:\Windows\system32\Nddkaddm.exe
        176⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Nbhkjicf.exe
        
        C:\Windows\system32\Nbhkjicf.exe
        177⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Nkqpcnig.exe
        
        C:\Windows\system32\Nkqpcnig.exe
        178⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Ocldhqgb.exe
        
        C:\Windows\system32\Ocldhqgb.exe
        179⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Obmeeh32.exe
        
        C:\Windows\system32\Obmeeh32.exe
        180⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Ojhijjll.exe
        
        C:\Windows\system32\Ojhijjll.exe
        181⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Odnngclb.exe
        
        C:\Windows\system32\Odnngclb.exe
        182⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Onfbpi32.exe
        
        C:\Windows\system32\Onfbpi32.exe
        183⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Occkhp32.exe
        
        C:\Windows\system32\Occkhp32.exe
        184⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Ocegnoog.exe
        
        C:\Windows\system32\Ocegnoog.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Peddhb32.exe
        
        C:\Windows\system32\Peddhb32.exe
        186⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Panabc32.exe
        
        C:\Windows\system32\Panabc32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8164
        
        C:\Windows\SysWOW64\Pjffkhpl.exe
        
        C:\Windows\system32\Pjffkhpl.exe
        188⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Pabknbef.exe
        
        C:\Windows\system32\Pabknbef.exe
        189⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Qgopplkq.exe
        
        C:\Windows\system32\Qgopplkq.exe
        190⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Qbddmejf.exe
        
        C:\Windows\system32\Qbddmejf.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Abimhd32.exe
        
        C:\Windows\system32\Abimhd32.exe
        192⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Ahffqk32.exe
        
        C:\Windows\system32\Ahffqk32.exe
        193⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        194⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Ahhbfkbf.exe
        
        C:\Windows\system32\Ahhbfkbf.exe
        195⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Anbkbe32.exe
        
        C:\Windows\system32\Anbkbe32.exe
        196⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Adockl32.exe
        
        C:\Windows\system32\Adockl32.exe
        197⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Aenpeoom.exe
        
        C:\Windows\system32\Aenpeoom.exe
        198⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Bjkhme32.exe
        
        C:\Windows\system32\Bjkhme32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7772
        
        C:\Windows\SysWOW64\Baepjpea.exe
        
        C:\Windows\system32\Baepjpea.exe
        200⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Bbemdb32.exe
        
        C:\Windows\system32\Bbemdb32.exe
        201⤵
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Blmamh32.exe
        
        C:\Windows\system32\Blmamh32.exe
        202⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Bbifobho.exe
        
        C:\Windows\system32\Bbifobho.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7984
        
        C:\Windows\SysWOW64\Bblcda32.exe
        
        C:\Windows\system32\Bblcda32.exe
        204⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Cbnpja32.exe
        
        C:\Windows\system32\Cbnpja32.exe
        205⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Clfdcgkj.exe
        
        C:\Windows\system32\Clfdcgkj.exe
        206⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Cbqlpabf.exe
        
        C:\Windows\system32\Cbqlpabf.exe
        207⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Cliahf32.exe
        
        C:\Windows\system32\Cliahf32.exe
        208⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Cddemi32.exe
        
        C:\Windows\system32\Cddemi32.exe
        209⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Cknnjcmo.exe
        
        C:\Windows\system32\Cknnjcmo.exe
        210⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Cdfbbhdp.exe
        
        C:\Windows\system32\Cdfbbhdp.exe
        211⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Cajblmci.exe
        
        C:\Windows\system32\Cajblmci.exe
        212⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dlpgiebo.exe
        
        C:\Windows\system32\Dlpgiebo.exe
        213⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Dejhgkgm.exe
        
        C:\Windows\system32\Dejhgkgm.exe
        214⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Dkgqpaed.exe
        
        C:\Windows\system32\Dkgqpaed.exe
        215⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dlgmjdlg.exe
        
        C:\Windows\system32\Dlgmjdlg.exe
        216⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Dhnnoe32.exe
        
        C:\Windows\system32\Dhnnoe32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7904
        
        C:\Windows\SysWOW64\Dogfkpih.exe
        
        C:\Windows\system32\Dogfkpih.exe
        218⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Edgkif32.exe
        
        C:\Windows\system32\Edgkif32.exe
        219⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Ehddpdlc.exe
        
        C:\Windows\system32\Ehddpdlc.exe
        220⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Ecjhmm32.exe
        
        C:\Windows\system32\Ecjhmm32.exe
        221⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ehgqed32.exe
        
        C:\Windows\system32\Ehgqed32.exe
        222⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Eaoenjqa.exe
        
        C:\Windows\system32\Eaoenjqa.exe
        223⤵
        
        PID:332
        
        C:\Windows\SysWOW64\Eleikb32.exe
        
        C:\Windows\system32\Eleikb32.exe
        224⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Fdpnpe32.exe
        
        C:\Windows\system32\Fdpnpe32.exe
        225⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Foebmn32.exe
        
        C:\Windows\system32\Foebmn32.exe
        226⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Fdbked32.exe
        
        C:\Windows\system32\Fdbked32.exe
        227⤵
        
        PID:784
        
        C:\Windows\SysWOW64\Fklcbocl.exe
        
        C:\Windows\system32\Fklcbocl.exe
        228⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Fafkoiji.exe
        
        C:\Windows\system32\Fafkoiji.exe
        229⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Fllplajo.exe
        
        C:\Windows\system32\Fllplajo.exe
        230⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\Flnlaahl.exe
        
        C:\Windows\system32\Flnlaahl.exe
        231⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Fffqjfom.exe
        
        C:\Windows\system32\Fffqjfom.exe
        232⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Flqigq32.exe
        
        C:\Windows\system32\Flqigq32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2480
        
        C:\Windows\SysWOW64\Gbmaog32.exe
        
        C:\Windows\system32\Gbmaog32.exe
        234⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Gcmnijkd.exe
        
        C:\Windows\system32\Gcmnijkd.exe
        235⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Ghlcga32.exe
        
        C:\Windows\system32\Ghlcga32.exe
        236⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Gbdgpfni.exe
        
        C:\Windows\system32\Gbdgpfni.exe
        237⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Gmjlmo32.exe
        
        C:\Windows\system32\Gmjlmo32.exe
        238⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Gcddjiel.exe
        
        C:\Windows\system32\Gcddjiel.exe
        239⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Hbeece32.exe
        
        C:\Windows\system32\Hbeece32.exe
        209⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hiajeoip.exe
        
        C:\Windows\system32\Hiajeoip.exe
        210⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Hplbbipm.exe
        
        C:\Windows\system32\Hplbbipm.exe
        211⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Hidgko32.exe
        
        C:\Windows\system32\Hidgko32.exe
        212⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Hoaocf32.exe
        
        C:\Windows\system32\Hoaocf32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7928
        
        C:\Windows\SysWOW64\Hifcqo32.exe
        
        C:\Windows\system32\Hifcqo32.exe
        214⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Iocliecb.exe
        
        C:\Windows\system32\Iocliecb.exe
        215⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Iiipfnch.exe
        
        C:\Windows\system32\Iiipfnch.exe
        216⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ipbhch32.exe
        
        C:\Windows\system32\Ipbhch32.exe
        217⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Ibadoc32.exe
        
        C:\Windows\system32\Ibadoc32.exe
        218⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Iohede32.exe
        
        C:\Windows\system32\Iohede32.exe
        219⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Imieblgl.exe
        
        C:\Windows\system32\Imieblgl.exe
        220⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Icfnjcec.exe
        
        C:\Windows\system32\Icfnjcec.exe
        221⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Iipfgm32.exe
        
        C:\Windows\system32\Iipfgm32.exe
        222⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Igcgpalj.exe
        
        C:\Windows\system32\Igcgpalj.exe
        223⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Jeidan32.exe
        
        C:\Windows\system32\Jeidan32.exe
        224⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Joahjcgb.exe
        
        C:\Windows\system32\Joahjcgb.exe
        225⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Jiiiml32.exe
        
        C:\Windows\system32\Jiiiml32.exe
        226⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Kphkee32.exe
        
        C:\Windows\system32\Kphkee32.exe
        227⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Kloljf32.exe
        
        C:\Windows\system32\Kloljf32.exe
        228⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Kgflmo32.exe
        
        C:\Windows\system32\Kgflmo32.exe
        229⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Kpoaed32.exe
        
        C:\Windows\system32\Kpoaed32.exe
        230⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ljibdifc.exe
        
        C:\Windows\system32\Ljibdifc.exe
        231⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Lqfgfclm.exe
        
        C:\Windows\system32\Lqfgfclm.exe
        232⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lqhdlc32.exe
        
        C:\Windows\system32\Lqhdlc32.exe
        233⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Lnldeg32.exe
        
        C:\Windows\system32\Lnldeg32.exe
        234⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lmaafcml.exe
        
        C:\Windows\system32\Lmaafcml.exe
        235⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Mfjfoidl.exe
        
        C:\Windows\system32\Mfjfoidl.exe
        236⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Mmcnlc32.exe
        
        C:\Windows\system32\Mmcnlc32.exe
        237⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Mflbdibj.exe
        
        C:\Windows\system32\Mflbdibj.exe
        238⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Mcpcnm32.exe
        
        C:\Windows\system32\Mcpcnm32.exe
        239⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Mqdcga32.exe
        
        C:\Windows\system32\Mqdcga32.exe
        240⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mmkdlbea.exe
        
        C:\Windows\system32\Mmkdlbea.exe
        241⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Mfchehla.exe
        
        C:\Windows\system32\Mfchehla.exe
        242⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Mmmqbb32.exe
        
        C:\Windows\system32\Mmmqbb32.exe
        243⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Npnjcm32.exe
        
        C:\Windows\system32\Npnjcm32.exe
        244⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Nqmfnp32.exe
        
        C:\Windows\system32\Nqmfnp32.exe
        245⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Nggnjjoo.exe
        
        C:\Windows\system32\Nggnjjoo.exe
        246⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Ngikpjml.exe
        
        C:\Windows\system32\Ngikpjml.exe
        247⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Njjdae32.exe
        
        C:\Windows\system32\Njjdae32.exe
        248⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ocbhjjqn.exe
        
        C:\Windows\system32\Ocbhjjqn.exe
        249⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Onhmhc32.exe
        
        C:\Windows\system32\Onhmhc32.exe
        250⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Onkimc32.exe
        
        C:\Windows\system32\Onkimc32.exe
        251⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ojajbdde.exe
        
        C:\Windows\system32\Ojajbdde.exe
        252⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Ocjokijf.exe
        
        C:\Windows\system32\Ocjokijf.exe
        253⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Oanodnip.exe
        
        C:\Windows\system32\Oanodnip.exe
        254⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ojfcmc32.exe
        
        C:\Windows\system32\Ojfcmc32.exe
        255⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Ppclej32.exe
        
        C:\Windows\system32\Ppclej32.exe
        256⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Pndlca32.exe
        
        C:\Windows\system32\Pndlca32.exe
        257⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Phlqlgmg.exe
        
        C:\Windows\system32\Phlqlgmg.exe
        258⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Ppgeqijb.exe
        
        C:\Windows\system32\Ppgeqijb.exe
        259⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Ppjbfi32.exe
        
        C:\Windows\system32\Ppjbfi32.exe
        260⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Pnkbdqpo.exe
        
        C:\Windows\system32\Pnkbdqpo.exe
        261⤵
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Pnmojp32.exe
        
        C:\Windows\system32\Pnmojp32.exe
        262⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Qpolahdj.exe
        
        C:\Windows\system32\Qpolahdj.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8712
        
        C:\Windows\SysWOW64\Qmblkmcd.exe
        
        C:\Windows\system32\Qmblkmcd.exe
        264⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Qjfmda32.exe
        
        C:\Windows\system32\Qjfmda32.exe
        265⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Apcemh32.exe
        
        C:\Windows\system32\Apcemh32.exe
        266⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Aabafkgh.exe
        
        C:\Windows\system32\Aabafkgh.exe
        267⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Amibklml.exe
        
        C:\Windows\system32\Amibklml.exe
        268⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Amloakki.exe
        
        C:\Windows\system32\Amloakki.exe
        269⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Akpojpic.exe
        
        C:\Windows\system32\Akpojpic.exe
        270⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Bmqhlk32.exe
        
        C:\Windows\system32\Bmqhlk32.exe
        271⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Bdjqienq.exe
        
        C:\Windows\system32\Bdjqienq.exe
        272⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Bopefnnf.exe
        
        C:\Windows\system32\Bopefnnf.exe
        273⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Bpaanfce.exe
        
        C:\Windows\system32\Bpaanfce.exe
        274⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Bkgekock.exe
        
        C:\Windows\system32\Bkgekock.exe
        275⤵
        Modifies registry class
        
        PID:8748
        
        C:\Windows\SysWOW64\Bpcnceab.exe
        
        C:\Windows\system32\Bpcnceab.exe
        276⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Bngnmjql.exe
        
        C:\Windows\system32\Bngnmjql.exe
        277⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnjkbi32.exe
        
        C:\Windows\system32\Bnjkbi32.exe
        278⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Cknlln32.exe
        
        C:\Windows\system32\Cknlln32.exe
        279⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Cdfpdc32.exe
        
        C:\Windows\system32\Cdfpdc32.exe
        280⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Cnodmijd.exe
        
        C:\Windows\system32\Cnodmijd.exe
        281⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Chdikajj.exe
        
        C:\Windows\system32\Chdikajj.exe
        282⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Calmcg32.exe
        
        C:\Windows\system32\Calmcg32.exe
        283⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Cgiflnoa.exe
        
        C:\Windows\system32\Cgiflnoa.exe
        284⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Caojigoh.exe
        
        C:\Windows\system32\Caojigoh.exe
        285⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Cpdgjc32.exe
        
        C:\Windows\system32\Cpdgjc32.exe
        286⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Dhnlapbo.exe
        
        C:\Windows\system32\Dhnlapbo.exe
        287⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Dqmjqb32.exe
        
        C:\Windows\system32\Dqmjqb32.exe
        288⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Doojni32.exe
        
        C:\Windows\system32\Doojni32.exe
        289⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Egjobl32.exe
        
        C:\Windows\system32\Egjobl32.exe
        290⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Ehikmohb.exe
        
        C:\Windows\system32\Ehikmohb.exe
        291⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Eqgmgq32.exe
        
        C:\Windows\system32\Eqgmgq32.exe
        292⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Fbbhla32.exe
        
        C:\Windows\system32\Fbbhla32.exe
        293⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Gohfkemf.exe
        
        C:\Windows\system32\Gohfkemf.exe
        294⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Gnblgani.exe
        
        C:\Windows\system32\Gnblgani.exe
        295⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Haceil32.exe
        
        C:\Windows\system32\Haceil32.exe
        296⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Hngebq32.exe
        
        C:\Windows\system32\Hngebq32.exe
        297⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Hpfbmcaf.exe
        
        C:\Windows\system32\Hpfbmcaf.exe
        298⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Hiofeigg.exe
        
        C:\Windows\system32\Hiofeigg.exe
        299⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Hajkjkdb.exe
        
        C:\Windows\system32\Hajkjkdb.exe
        300⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Hnphio32.exe
        
        C:\Windows\system32\Hnphio32.exe
        301⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Ilfehcnp.exe
        
        C:\Windows\system32\Ilfehcnp.exe
        302⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Ioikon32.exe
        
        C:\Windows\system32\Ioikon32.exe
        303⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Ihbphcpo.exe
        
        C:\Windows\system32\Ihbphcpo.exe
        304⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Jhdlncnl.exe
        
        C:\Windows\system32\Jhdlncnl.exe
        305⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Jehmgg32.exe
        
        C:\Windows\system32\Jehmgg32.exe
        306⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Jejjlg32.exe
        
        C:\Windows\system32\Jejjlg32.exe
        307⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Kimlnemd.exe
        
        C:\Windows\system32\Kimlnemd.exe
        308⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Kakmhg32.exe
        
        C:\Windows\system32\Kakmhg32.exe
        309⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Kpnjknni.exe
        
        C:\Windows\system32\Kpnjknni.exe
        310⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Locgljca.exe
        
        C:\Windows\system32\Locgljca.exe
        311⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Likhoc32.exe
        
        C:\Windows\system32\Likhoc32.exe
        312⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Lomjbikf.exe
        
        C:\Windows\system32\Lomjbikf.exe
        313⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Modpch32.exe
        
        C:\Windows\system32\Modpch32.exe
        314⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Nfenpafc.exe
        
        C:\Windows\system32\Nfenpafc.exe
        315⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Nmacbk32.exe
        
        C:\Windows\system32\Nmacbk32.exe
        316⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Nqolii32.exe
        
        C:\Windows\system32\Nqolii32.exe
        317⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Ncpejd32.exe
        
        C:\Windows\system32\Ncpejd32.exe
        318⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Fllkjd32.exe
        
        C:\Windows\system32\Fllkjd32.exe
        173⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Fmkgdgej.exe
        
        C:\Windows\system32\Fmkgdgej.exe
        174⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Gjohnkdd.exe
        
        C:\Windows\system32\Gjohnkdd.exe
        175⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Glbakchp.exe
        
        C:\Windows\system32\Glbakchp.exe
        176⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Gmbmefob.exe
        
        C:\Windows\system32\Gmbmefob.exe
        177⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Giinjg32.exe
        
        C:\Windows\system32\Giinjg32.exe
        178⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Gkhkdjli.exe
        
        C:\Windows\system32\Gkhkdjli.exe
        179⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Gdaomobj.exe
        
        C:\Windows\system32\Gdaomobj.exe
        180⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Hingefqa.exe
        
        C:\Windows\system32\Hingefqa.exe
        181⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Hlnqfanb.exe
        
        C:\Windows\system32\Hlnqfanb.exe
        182⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Hkpqdifa.exe
        
        C:\Windows\system32\Hkpqdifa.exe
        183⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Hienee32.exe
        
        C:\Windows\system32\Hienee32.exe
        184⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Iiigqdfd.exe
        
        C:\Windows\system32\Iiigqdfd.exe
        185⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Igmgji32.exe
        
        C:\Windows\system32\Igmgji32.exe
        186⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Ipjenn32.exe
        
        C:\Windows\system32\Ipjenn32.exe
        187⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Ipmbcm32.exe
        
        C:\Windows\system32\Ipmbcm32.exe
        188⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Jnqbmadp.exe
        
        C:\Windows\system32\Jnqbmadp.exe
        189⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Jkdcffci.exe
        
        C:\Windows\system32\Jkdcffci.exe
        190⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Jpalomaq.exe
        
        C:\Windows\system32\Jpalomaq.exe
        191⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Jjlmmbfo.exe
        
        C:\Windows\system32\Jjlmmbfo.exe
        192⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Jjoibadl.exe
        
        C:\Windows\system32\Jjoibadl.exe
        193⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Kdfjej32.exe
        
        C:\Windows\system32\Kdfjej32.exe
        194⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\Kmaojl32.exe
        
        C:\Windows\system32\Kmaojl32.exe
        195⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Knaldo32.exe
        
        C:\Windows\system32\Knaldo32.exe
        196⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Kqbdej32.exe
        
        C:\Windows\system32\Kqbdej32.exe
        197⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Kjjinp32.exe
        
        C:\Windows\system32\Kjjinp32.exe
        198⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Lkjehbaa.exe
        
        C:\Windows\system32\Lkjehbaa.exe
        199⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Lqfnqjpi.exe
        
        C:\Windows\system32\Lqfnqjpi.exe
        200⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Lklbnb32.exe
        
        C:\Windows\system32\Lklbnb32.exe
        201⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Lknocb32.exe
        
        C:\Windows\system32\Lknocb32.exe
        202⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Lnohemjm.exe
        
        C:\Windows\system32\Lnohemjm.exe
        203⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Lclpmdhd.exe
        
        C:\Windows\system32\Lclpmdhd.exe
        204⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Mgjicb32.exe
        
        C:\Windows\system32\Mgjicb32.exe
        205⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Menimfnd.exe
        
        C:\Windows\system32\Menimfnd.exe
        206⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Madjbg32.exe
        
        C:\Windows\system32\Madjbg32.exe
        207⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Mgoboake.exe
        
        C:\Windows\system32\Mgoboake.exe
        208⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Mebchf32.exe
        
        C:\Windows\system32\Mebchf32.exe
        209⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Mgclja32.exe
        
        C:\Windows\system32\Mgclja32.exe
        210⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Nmpdbh32.exe
        
        C:\Windows\system32\Nmpdbh32.exe
        211⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Nmbaggce.exe
        
        C:\Windows\system32\Nmbaggce.exe
        212⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Njfaalao.exe
        
        C:\Windows\system32\Njfaalao.exe
        213⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Ncofjaho.exe
        
        C:\Windows\system32\Ncofjaho.exe
        214⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Nlhkqngo.exe
        
        C:\Windows\system32\Nlhkqngo.exe
        215⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Naecieef.exe
        
        C:\Windows\system32\Naecieef.exe
        216⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Nljgfn32.exe
        
        C:\Windows\system32\Nljgfn32.exe
        217⤵
        
        PID:180
        
        C:\Windows\SysWOW64\Odfljp32.exe
        
        C:\Windows\system32\Odfljp32.exe
        218⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Odhipp32.exe
        
        C:\Windows\system32\Odhipp32.exe
        219⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Oegejc32.exe
        
        C:\Windows\system32\Oegejc32.exe
        220⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Omcjne32.exe
        
        C:\Windows\system32\Omcjne32.exe
        221⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Ojgjhicl.exe
        
        C:\Windows\system32\Ojgjhicl.exe
        222⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Ohkkanbe.exe
        
        C:\Windows\system32\Ohkkanbe.exe
        223⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Pdalfo32.exe
        
        C:\Windows\system32\Pdalfo32.exe
        224⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Phodlm32.exe
        
        C:\Windows\system32\Phodlm32.exe
        225⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Pecefa32.exe
        
        C:\Windows\system32\Pecefa32.exe
        226⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Pdhbgn32.exe
        
        C:\Windows\system32\Pdhbgn32.exe
        227⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Ponfdf32.exe
        
        C:\Windows\system32\Ponfdf32.exe
        228⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Qkegiggl.exe
        
        C:\Windows\system32\Qkegiggl.exe
        229⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Qdmkbmnl.exe
        
        C:\Windows\system32\Qdmkbmnl.exe
        230⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Qoboofnb.exe
        
        C:\Windows\system32\Qoboofnb.exe
        231⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Qdphgmlj.exe
        
        C:\Windows\system32\Qdphgmlj.exe
        232⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Alimnj32.exe
        
        C:\Windows\system32\Alimnj32.exe
        233⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Addabl32.exe
        
        C:\Windows\system32\Addabl32.exe
        234⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Adfnhlfa.exe
        
        C:\Windows\system32\Adfnhlfa.exe
        235⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Anobaa32.exe
        
        C:\Windows\system32\Anobaa32.exe
        236⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Adiknkco.exe
        
        C:\Windows\system32\Adiknkco.exe
        237⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Aehghn32.exe
        
        C:\Windows\system32\Aehghn32.exe
        238⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Boqlqd32.exe
        
        C:\Windows\system32\Boqlqd32.exe
        239⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Bochfc32.exe
        
        C:\Windows\system32\Bochfc32.exe
        240⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Boeelcmm.exe
        
        C:\Windows\system32\Boeelcmm.exe
        241⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Blieeglf.exe
        
        C:\Windows\system32\Blieeglf.exe
        242⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Beajnm32.exe
        
        C:\Windows\system32\Beajnm32.exe
        243⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Bkobfdao.exe
        
        C:\Windows\system32\Bkobfdao.exe
        244⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Chbcphph.exe
        
        C:\Windows\system32\Chbcphph.exe
        245⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Cnokhonp.exe
        
        C:\Windows\system32\Cnokhonp.exe
        246⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Cbmdnmdf.exe
        
        C:\Windows\system32\Cbmdnmdf.exe
        247⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Chglkg32.exe
        
        C:\Windows\system32\Chglkg32.exe
        248⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Cdnmphag.exe
        
        C:\Windows\system32\Cdnmphag.exe
        249⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Chlffghn.exe
        
        C:\Windows\system32\Chlffghn.exe
        250⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Dfpfokfg.exe
        
        C:\Windows\system32\Dfpfokfg.exe
        251⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Dojgnpke.exe
        
        C:\Windows\system32\Dojgnpke.exe
        252⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Ddgpfgil.exe
        
        C:\Windows\system32\Ddgpfgil.exe
        253⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Dbkpokhf.exe
        
        C:\Windows\system32\Dbkpokhf.exe
        254⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Dbnmek32.exe
        
        C:\Windows\system32\Dbnmek32.exe
        255⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Dmcabd32.exe
        
        C:\Windows\system32\Dmcabd32.exe
        256⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Efkfkilj.exe
        
        C:\Windows\system32\Efkfkilj.exe
        257⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Eodjdocj.exe
        
        C:\Windows\system32\Eodjdocj.exe
        258⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Eilomd32.exe
        
        C:\Windows\system32\Eilomd32.exe
        259⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Ekmhnpfl.exe
        
        C:\Windows\system32\Ekmhnpfl.exe
        260⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Ebgpkj32.exe
        
        C:\Windows\system32\Ebgpkj32.exe
        261⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Efeiahdo.exe
        
        C:\Windows\system32\Efeiahdo.exe
        262⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Epmmjnkp.exe
        
        C:\Windows\system32\Epmmjnkp.exe
        263⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Fejebdig.exe
        
        C:\Windows\system32\Fejebdig.exe
        264⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Fnbjkj32.exe
        
        C:\Windows\system32\Fnbjkj32.exe
        265⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Fnegqjne.exe
        
        C:\Windows\system32\Fnegqjne.exe
        266⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Ffnkggld.exe
        
        C:\Windows\system32\Ffnkggld.exe
        267⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Fbellhbi.exe
        
        C:\Windows\system32\Fbellhbi.exe
        268⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Capikhgh.exe
        
        C:\Windows\system32\Capikhgh.exe
        37⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Cjindm32.exe
        
        C:\Windows\system32\Cjindm32.exe
        38⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Cabfagee.exe
        
        C:\Windows\system32\Cabfagee.exe
        39⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Cfonin32.exe
        
        C:\Windows\system32\Cfonin32.exe
        40⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Cmiffhkj.exe
        
        C:\Windows\system32\Cmiffhkj.exe
        41⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Cjmgomjc.exe
        
        C:\Windows\system32\Cjmgomjc.exe
        42⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Pddmml32.exe
        
        C:\Windows\system32\Pddmml32.exe
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Pnlafaio.exe
        
        C:\Windows\system32\Pnlafaio.exe
        10⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Odaphl32.exe
        
        C:\Windows\system32\Odaphl32.exe
        8⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Pjnipc32.exe
        
        C:\Windows\system32\Pjnipc32.exe
        9⤵
        
        PID:3348

C:\Windows\SysWOW64\Gmlhbo32.exe
C:\Windows\system32\Gmlhbo32.exe
1⤵
PID:4912
- C:\Windows\SysWOW64\Hfemkdbm.exe
  C:\Windows\system32\Hfemkdbm.exe
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\Hbknqeha.exe
    C:\Windows\system32\Hbknqeha.exe
    3⤵
    PID:7252
  - - C:\Windows\SysWOW64\Hmabnnhg.exe
      C:\Windows\system32\Hmabnnhg.exe
      4⤵
      PID:4768
    - - C:\Windows\SysWOW64\Hckjjh32.exe
        
        C:\Windows\system32\Hckjjh32.exe
        5⤵
        
        PID:7596
      - C:\Windows\SysWOW64\Hmcocn32.exe
        
        C:\Windows\system32\Hmcocn32.exe
        6⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Hbpgle32.exe
        
        C:\Windows\system32\Hbpgle32.exe
        7⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Hkhkdjkl.exe
        
        C:\Windows\system32\Hkhkdjkl.exe
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Hfnpacjb.exe
        
        C:\Windows\system32\Hfnpacjb.exe
        9⤵
        
        PID:1628

C:\Windows\SysWOW64\Hmhhnmao.exe
C:\Windows\system32\Hmhhnmao.exe
1⤵
PID:4988
- C:\Windows\SysWOW64\Iecmcpoj.exe
  C:\Windows\system32\Iecmcpoj.exe
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\Ipiaphop.exe
    C:\Windows\system32\Ipiaphop.exe
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\Ieeihomg.exe
      C:\Windows\system32\Ieeihomg.exe
      4⤵
      PID:8180

C:\Windows\SysWOW64\Icgjfgef.exe
C:\Windows\system32\Icgjfgef.exe
1⤵
PID:4436
- C:\Windows\SysWOW64\Iicboncn.exe
  C:\Windows\system32\Iicboncn.exe
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\Ifgbhbbh.exe
    C:\Windows\system32\Ifgbhbbh.exe
    3⤵
    PID:7380
  - - C:\Windows\SysWOW64\Ildkpiqo.exe
      C:\Windows\system32\Ildkpiqo.exe
      4⤵
      PID:7540
    - - C:\Windows\SysWOW64\Ifjoma32.exe
        
        C:\Windows\system32\Ifjoma32.exe
        5⤵
        
        PID:2356
      - C:\Windows\SysWOW64\Jbqpbbfi.exe
        
        C:\Windows\system32\Jbqpbbfi.exe
        6⤵
        
        PID:7776

C:\Windows\SysWOW64\Jijhom32.exe
C:\Windows\system32\Jijhom32.exe
1⤵
PID:4056
- C:\Windows\SysWOW64\Jbcmhb32.exe
  C:\Windows\system32\Jbcmhb32.exe
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\Jpgmaf32.exe
    C:\Windows\system32\Jpgmaf32.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:8016
  - - C:\Windows\SysWOW64\Jecejm32.exe
      C:\Windows\system32\Jecejm32.exe
      4⤵
      PID:2072

C:\Windows\SysWOW64\Mmnlnfcb.exe
C:\Windows\system32\Mmnlnfcb.exe
1⤵
PID:4844
- C:\Windows\SysWOW64\Mckefmai.exe
  C:\Windows\system32\Mckefmai.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3364
- - C:\Windows\SysWOW64\Mnpice32.exe
    C:\Windows\system32\Mnpice32.exe
    3⤵
    - Drops file in System32 directory
    PID:8008
  - - C:\Windows\SysWOW64\Meknhh32.exe
      C:\Windows\system32\Meknhh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies registry class
      PID:3520
    - - C:\Windows\SysWOW64\Ndokko32.exe
        
        C:\Windows\system32\Ndokko32.exe
        5⤵
        
        PID:2168
      - C:\Windows\SysWOW64\Njlcdf32.exe
        
        C:\Windows\system32\Njlcdf32.exe
        6⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Ndagao32.exe
        
        C:\Windows\system32\Ndagao32.exe
        7⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Ncfdbk32.exe
        
        C:\Windows\system32\Ncfdbk32.exe
        8⤵
        
        PID:4008

C:\Windows\SysWOW64\Nnlhod32.exe
C:\Windows\system32\Nnlhod32.exe
1⤵
PID:608
- C:\Windows\SysWOW64\Ndfqlnno.exe
  C:\Windows\system32\Ndfqlnno.exe
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\Opmaaodc.exe
    C:\Windows\system32\Opmaaodc.exe
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\Oggjni32.exe
      C:\Windows\system32\Oggjni32.exe
      4⤵
      PID:1280
    - - C:\Windows\SysWOW64\Ogifci32.exe
        
        C:\Windows\system32\Ogifci32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260

C:\Windows\SysWOW64\Oncopcqj.exe
C:\Windows\system32\Oncopcqj.exe
1⤵
PID:7792
- C:\Windows\SysWOW64\Ocpghj32.exe
  C:\Windows\system32\Ocpghj32.exe
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\Ojllkcdk.exe
    C:\Windows\system32\Ojllkcdk.exe
    3⤵
    PID:3596

C:\Windows\SysWOW64\Pckfdh32.exe
C:\Windows\system32\Pckfdh32.exe
1⤵
PID:1324
- C:\Windows\SysWOW64\Pmdkmnkd.exe
  C:\Windows\system32\Pmdkmnkd.exe
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\Pgiojf32.exe
    C:\Windows\system32\Pgiojf32.exe
    3⤵
    PID:5180

C:\Windows\SysWOW64\Qcppogqo.exe
C:\Windows\system32\Qcppogqo.exe
1⤵
PID:1508
- C:\Windows\SysWOW64\Qmhdhm32.exe
  C:\Windows\system32\Qmhdhm32.exe
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\Qgnief32.exe
    C:\Windows\system32\Qgnief32.exe
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\Qmkanmel.exe
      C:\Windows\system32\Qmkanmel.exe
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\Agqekeeb.exe
        
        C:\Windows\system32\Agqekeeb.exe
        5⤵
        
        PID:1632

C:\Windows\SysWOW64\Anjngp32.exe
C:\Windows\system32\Anjngp32.exe
1⤵
- Drops file in System32 directory
PID:860
- C:\Windows\SysWOW64\Agcbqecp.exe
  C:\Windows\system32\Agcbqecp.exe
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\Aqkgikip.exe
    C:\Windows\system32\Aqkgikip.exe
    3⤵
    PID:5320
  - - C:\Windows\SysWOW64\Ageofe32.exe
      C:\Windows\system32\Ageofe32.exe
      4⤵
      PID:1728

C:\Windows\SysWOW64\Agglld32.exe
C:\Windows\system32\Agglld32.exe
1⤵
PID:5192
- C:\Windows\SysWOW64\Amdddkma.exe
  C:\Windows\system32\Amdddkma.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5404
- - C:\Windows\SysWOW64\Agjhadmh.exe
    C:\Windows\system32\Agjhadmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:4744
  - - C:\Windows\SysWOW64\Babmjj32.exe
      C:\Windows\system32\Babmjj32.exe
      4⤵
      PID:6072
    - - C:\Windows\SysWOW64\Bccfleqi.exe
        
        C:\Windows\system32\Bccfleqi.exe
        5⤵
        Drops file in System32 directory
        
        PID:6120

C:\Windows\SysWOW64\Ambgnl32.exe
C:\Windows\system32\Ambgnl32.exe
1⤵
PID:5852

C:\Windows\SysWOW64\Bnhjinpo.exe
C:\Windows\system32\Bnhjinpo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5724
- C:\Windows\SysWOW64\Bmngjj32.exe
  C:\Windows\system32\Bmngjj32.exe
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\Ceihffad.exe
    C:\Windows\system32\Ceihffad.exe
    3⤵
    PID:5884
  - - C:\Windows\SysWOW64\Cjfaon32.exe
      C:\Windows\system32\Cjfaon32.exe
      4⤵
      PID:5924

C:\Windows\SysWOW64\Ceckleii.exe
C:\Windows\system32\Ceckleii.exe
1⤵
PID:5272
- C:\Windows\SysWOW64\Cokpekpj.exe
  C:\Windows\system32\Cokpekpj.exe
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\Deehbe32.exe
    C:\Windows\system32\Deehbe32.exe
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\Ddjecalo.exe
      C:\Windows\system32\Ddjecalo.exe
      4⤵
      PID:5976
    - - C:\Windows\SysWOW64\Dkdmpl32.exe
        
        C:\Windows\system32\Dkdmpl32.exe
        5⤵
        
        PID:5168

C:\Windows\SysWOW64\Dfknem32.exe
C:\Windows\system32\Dfknem32.exe
1⤵
PID:8228
- C:\Windows\SysWOW64\Dmefafql.exe
  C:\Windows\system32\Dmefafql.exe
  2⤵
  PID:8272
- - C:\Windows\SysWOW64\Dacohegc.exe
    C:\Windows\system32\Dacohegc.exe
    3⤵
    PID:8332

C:\Windows\SysWOW64\Dgpgplej.exe
C:\Windows\system32\Dgpgplej.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8372
- C:\Windows\SysWOW64\Egbdekcg.exe
  C:\Windows\system32\Egbdekcg.exe
  2⤵
  PID:8432
- - C:\Windows\SysWOW64\Eecdcckf.exe
    C:\Windows\system32\Eecdcckf.exe
    3⤵
    PID:8484

C:\Windows\SysWOW64\Ekpmljin.exe
C:\Windows\system32\Ekpmljin.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8524
- C:\Windows\SysWOW64\Edhado32.exe
  C:\Windows\system32\Edhado32.exe
  2⤵
  PID:8568
- - C:\Windows\SysWOW64\Emaemefo.exe
    C:\Windows\system32\Emaemefo.exe
    3⤵
    - Modifies registry class
    PID:8620

C:\Windows\SysWOW64\Egijfjmp.exe
C:\Windows\system32\Egijfjmp.exe
1⤵
PID:8664
- C:\Windows\SysWOW64\Emcbcd32.exe
  C:\Windows\system32\Emcbcd32.exe
  2⤵
  PID:8712
- - C:\Windows\SysWOW64\Ehifpm32.exe
    C:\Windows\system32\Ehifpm32.exe
    3⤵
    PID:8756
  - - C:\Windows\SysWOW64\Femgia32.exe
      C:\Windows\system32\Femgia32.exe
      4⤵
      PID:8808
    - - C:\Windows\SysWOW64\Fkiobhac.exe
        
        C:\Windows\system32\Fkiobhac.exe
        5⤵
        
        PID:8848
      - C:\Windows\SysWOW64\Fachob32.exe
        
        C:\Windows\system32\Fachob32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8896
        
        C:\Windows\SysWOW64\Fgppgi32.exe
        
        C:\Windows\system32\Fgppgi32.exe
        7⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Fnjhccnd.exe
        
        C:\Windows\system32\Fnjhccnd.exe
        8⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Fddqpn32.exe
        
        C:\Windows\system32\Fddqpn32.exe
        9⤵
        
        PID:9040

C:\Windows\SysWOW64\Daneme32.exe
C:\Windows\system32\Daneme32.exe
1⤵
PID:5480

C:\Windows\SysWOW64\Fknimh32.exe
C:\Windows\system32\Fknimh32.exe
1⤵
PID:9076
- C:\Windows\SysWOW64\Fdfmfmdo.exe
  C:\Windows\system32\Fdfmfmdo.exe
  2⤵
  PID:9136
- - C:\Windows\SysWOW64\Folacfcd.exe
    C:\Windows\system32\Folacfcd.exe
    3⤵
    PID:9184
  - - C:\Windows\SysWOW64\Fefjpp32.exe
      C:\Windows\system32\Fefjpp32.exe
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\Gamjea32.exe
        
        C:\Windows\system32\Gamjea32.exe
        5⤵
        
        PID:5564
      - C:\Windows\SysWOW64\Gaogja32.exe
        
        C:\Windows\system32\Gaogja32.exe
        6⤵
        
        PID:8268

C:\Windows\SysWOW64\Ghiogkfp.exe
C:\Windows\system32\Ghiogkfp.exe
1⤵
- Drops file in System32 directory
PID:8320
- C:\Windows\SysWOW64\Gnfhob32.exe
  C:\Windows\system32\Gnfhob32.exe
  2⤵
  PID:8392
- - C:\Windows\SysWOW64\Gdppllld.exe
    C:\Windows\system32\Gdppllld.exe
    3⤵
    PID:8420
  - - C:\Windows\SysWOW64\Gkjhif32.exe
      C:\Windows\system32\Gkjhif32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:8468
    - - C:\Windows\SysWOW64\Gadqepkn.exe
        
        C:\Windows\system32\Gadqepkn.exe
        5⤵
        Modifies registry class
        
        PID:8516
      - C:\Windows\SysWOW64\Gnkajapa.exe
        
        C:\Windows\system32\Gnkajapa.exe
        6⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Gddigk32.exe
        
        C:\Windows\system32\Gddigk32.exe
        7⤵
        
        PID:8820

C:\Windows\SysWOW64\Hbppaopp.exe
C:\Windows\system32\Hbppaopp.exe
1⤵
PID:8884
- C:\Windows\SysWOW64\Hhihnihm.exe
  C:\Windows\system32\Hhihnihm.exe
  2⤵
  PID:8924
- - C:\Windows\SysWOW64\Hfmigmgf.exe
    C:\Windows\system32\Hfmigmgf.exe
    3⤵
    - Drops file in System32 directory
    PID:9020
  - - C:\Windows\SysWOW64\Ininloda.exe
      C:\Windows\system32\Ininloda.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:9100
    - - C:\Windows\SysWOW64\Idbfhiko.exe
        
        C:\Windows\system32\Idbfhiko.exe
        5⤵
        
        PID:9148
      - C:\Windows\SysWOW64\Ikmnec32.exe
        
        C:\Windows\system32\Ikmnec32.exe
        6⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Ibffbnjh.exe
        
        C:\Windows\system32\Ibffbnjh.exe
        7⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Inmggo32.exe
        
        C:\Windows\system32\Inmggo32.exe
        8⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ikagpcof.exe
        
        C:\Windows\system32\Ikagpcof.exe
        9⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Ibkpmm32.exe
        
        C:\Windows\system32\Ibkpmm32.exe
        10⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Iejlih32.exe
        
        C:\Windows\system32\Iejlih32.exe
        11⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Ifihckmi.exe
        
        C:\Windows\system32\Ifihckmi.exe
        12⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Jkfakb32.exe
        
        C:\Windows\system32\Jkfakb32.exe
        13⤵
        
        PID:5528

C:\Windows\SysWOW64\Jbpihlbn.exe
C:\Windows\system32\Jbpihlbn.exe
1⤵
PID:5152
- C:\Windows\SysWOW64\Jijaef32.exe
  C:\Windows\system32\Jijaef32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5204
- - C:\Windows\SysWOW64\Jodiaqag.exe
    C:\Windows\system32\Jodiaqag.exe
    3⤵
    PID:6048
  - - C:\Windows\SysWOW64\Jilnjf32.exe
      C:\Windows\system32\Jilnjf32.exe
      4⤵
      Modifies registry class
      PID:3588
    - - C:\Windows\SysWOW64\Jbdbcl32.exe
        
        C:\Windows\system32\Jbdbcl32.exe
        5⤵
        
        PID:8776
      - C:\Windows\SysWOW64\Jkmgladi.exe
        
        C:\Windows\system32\Jkmgladi.exe
        6⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Jiageecb.exe
        
        C:\Windows\system32\Jiageecb.exe
        7⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Kehhjfif.exe
        
        C:\Windows\system32\Kehhjfif.exe
        8⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Kpmlhoil.exe
        
        C:\Windows\system32\Kpmlhoil.exe
        9⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Kfgddi32.exe
        
        C:\Windows\system32\Kfgddi32.exe
        10⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Kppimogj.exe
        
        C:\Windows\system32\Kppimogj.exe
        11⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Knefnkla.exe
        
        C:\Windows\system32\Knefnkla.exe
        12⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Keonke32.exe
        
        C:\Windows\system32\Keonke32.exe
        13⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kpdbhn32.exe
        
        C:\Windows\system32\Kpdbhn32.exe
        14⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Khpgmqpp.exe
        
        C:\Windows\system32\Khpgmqpp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Lbekjipe.exe
        
        C:\Windows\system32\Lbekjipe.exe
        16⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Lpilcnoo.exe
        
        C:\Windows\system32\Lpilcnoo.exe
        17⤵
        Drops file in System32 directory
        
        PID:8576
        
        C:\Windows\SysWOW64\Lefdld32.exe
        
        C:\Windows\system32\Lefdld32.exe
        18⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Lnnidjcg.exe
        
        C:\Windows\system32\Lnnidjcg.exe
        19⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Lpneom32.exe
        
        C:\Windows\system32\Lpneom32.exe
        20⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Lldfcn32.exe
        
        C:\Windows\system32\Lldfcn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Lfjjqg32.exe
        
        C:\Windows\system32\Lfjjqg32.exe
        22⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Mhppcn32.exe
        
        C:\Windows\system32\Mhppcn32.exe
        23⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Mbedag32.exe
        
        C:\Windows\system32\Mbedag32.exe
        24⤵
        Modifies registry class
        
        PID:9052
        
        C:\Windows\SysWOW64\Molefh32.exe
        
        C:\Windows\system32\Molefh32.exe
        25⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Miaica32.exe
        
        C:\Windows\system32\Miaica32.exe
        26⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mbjnlfnn.exe
        
        C:\Windows\system32\Mbjnlfnn.exe
        27⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Midfiq32.exe
        
        C:\Windows\system32\Midfiq32.exe
        28⤵
        Drops file in System32 directory
        
        PID:8260
        
        C:\Windows\SysWOW64\Nhicjm32.exe
        
        C:\Windows\system32\Nhicjm32.exe
        29⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Nboggf32.exe
        
        C:\Windows\system32\Nboggf32.exe
        30⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Nhlpom32.exe
        
        C:\Windows\system32\Nhlpom32.exe
        31⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Neppiagi.exe
        
        C:\Windows\system32\Neppiagi.exe
        32⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Npedfjfo.exe
        
        C:\Windows\system32\Npedfjfo.exe
        33⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Nimioo32.exe
        
        C:\Windows\system32\Nimioo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8692
        
        C:\Windows\SysWOW64\Nojagf32.exe
        
        C:\Windows\system32\Nojagf32.exe
        35⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Oomnmfid.exe
        
        C:\Windows\system32\Oomnmfid.exe
        36⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Oeffip32.exe
        
        C:\Windows\system32\Oeffip32.exe
        37⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Oookbega.exe
        
        C:\Windows\system32\Oookbega.exe
        38⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Opnglhnd.exe
        
        C:\Windows\system32\Opnglhnd.exe
        39⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Oocdme32.exe
        
        C:\Windows\system32\Oocdme32.exe
        40⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Oiihkncb.exe
        
        C:\Windows\system32\Oiihkncb.exe
        41⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Ogmidbal.exe
        
        C:\Windows\system32\Ogmidbal.exe
        42⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ppemmg32.exe
        
        C:\Windows\system32\Ppemmg32.exe
        43⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Pllnbh32.exe
        
        C:\Windows\system32\Pllnbh32.exe
        44⤵
        
        PID:6224

C:\Windows\SysWOW64\Pgaboa32.exe
C:\Windows\system32\Pgaboa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040
- C:\Windows\SysWOW64\Ppjghgdg.exe
  C:\Windows\system32\Ppjghgdg.exe
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\Pjbkal32.exe
    C:\Windows\system32\Pjbkal32.exe
    3⤵
    PID:6432
  - - C:\Windows\SysWOW64\Poodicio.exe
      C:\Windows\system32\Poodicio.exe
      4⤵
      PID:8632
    - - C:\Windows\SysWOW64\Poaqocgl.exe
        
        C:\Windows\system32\Poaqocgl.exe
        5⤵
        
        PID:6400
      - C:\Windows\SysWOW64\Qhjegh32.exe
        
        C:\Windows\system32\Qhjegh32.exe
        6⤵
        Modifies registry class
        
        PID:8600
        
        C:\Windows\SysWOW64\Qgkeep32.exe
        
        C:\Windows\system32\Qgkeep32.exe
        7⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Qofjjb32.exe
        
        C:\Windows\system32\Qofjjb32.exe
        8⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Aoifoa32.exe
        
        C:\Windows\system32\Aoifoa32.exe
        9⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Ajnkmjqj.exe
        
        C:\Windows\system32\Ajnkmjqj.exe
        10⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Agiagn32.exe
        
        C:\Windows\system32\Agiagn32.exe
        11⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Bijnnf32.exe
        
        C:\Windows\system32\Bijnnf32.exe
        12⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Bcpblo32.exe
        
        C:\Windows\system32\Bcpblo32.exe
        13⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Bqdbec32.exe
        
        C:\Windows\system32\Bqdbec32.exe
        14⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Bqfokblg.exe
        
        C:\Windows\system32\Bqfokblg.exe
        15⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Bgeabloo.exe
        
        C:\Windows\system32\Bgeabloo.exe
        16⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Cifmjd32.exe
        
        C:\Windows\system32\Cifmjd32.exe
        17⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Cclagm32.exe
        
        C:\Windows\system32\Cclagm32.exe
        18⤵
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Cjejdglp.exe
        
        C:\Windows\system32\Cjejdglp.exe
        19⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Cpbbln32.exe
        
        C:\Windows\system32\Cpbbln32.exe
        20⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Cikgecag.exe
        
        C:\Windows\system32\Cikgecag.exe
        21⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Ccpkblqn.exe
        
        C:\Windows\system32\Ccpkblqn.exe
        22⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Cgndikgd.exe
        
        C:\Windows\system32\Cgndikgd.exe
        23⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Cpihmmdo.exe
        
        C:\Windows\system32\Cpihmmdo.exe
        24⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Djomjfde.exe
        
        C:\Windows\system32\Djomjfde.exe
        25⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Dplebmbl.exe
        
        C:\Windows\system32\Dplebmbl.exe
        26⤵
        Drops file in System32 directory
        
        PID:8308
        
        C:\Windows\SysWOW64\Dakampio.exe
        
        C:\Windows\system32\Dakampio.exe
        27⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Dfhjefhf.exe
        
        C:\Windows\system32\Dfhjefhf.exe
        28⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Dannbogl.exe
        
        C:\Windows\system32\Dannbogl.exe
        29⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Dfjgjf32.exe
        
        C:\Windows\system32\Dfjgjf32.exe
        30⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Dpckclld.exe
        
        C:\Windows\system32\Dpckclld.exe
        31⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ehlpjikd.exe
        
        C:\Windows\system32\Ehlpjikd.exe
        32⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Emihbp32.exe
        
        C:\Windows\system32\Emihbp32.exe
        33⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Edcqojqh.exe
        
        C:\Windows\system32\Edcqojqh.exe
        34⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Eipigqop.exe
        
        C:\Windows\system32\Eipigqop.exe
        35⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Eplnijdj.exe
        
        C:\Windows\system32\Eplnijdj.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Eidbbp32.exe
        
        C:\Windows\system32\Eidbbp32.exe
        37⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Edjgpi32.exe
        
        C:\Windows\system32\Edjgpi32.exe
        38⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Fdlcehhn.exe
        
        C:\Windows\system32\Fdlcehhn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8408
        
        C:\Windows\SysWOW64\Fkflbb32.exe
        
        C:\Windows\system32\Fkflbb32.exe
        40⤵
        Modifies registry class
        
        PID:8628
        
        C:\Windows\SysWOW64\Fapdomgg.exe
        
        C:\Windows\system32\Fapdomgg.exe
        41⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Fhjlkg32.exe
        
        C:\Windows\system32\Fhjlkg32.exe
        42⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Fmgecn32.exe
        
        C:\Windows\system32\Fmgecn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Fgpilc32.exe
        
        C:\Windows\system32\Fgpilc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Fmiaimki.exe
        
        C:\Windows\system32\Fmiaimki.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4180
        
        C:\Windows\SysWOW64\Fipbnn32.exe
        
        C:\Windows\system32\Fipbnn32.exe
        46⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Fmnkdm32.exe
        
        C:\Windows\system32\Fmnkdm32.exe
        47⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Gdhcagnp.exe
        
        C:\Windows\system32\Gdhcagnp.exe
        48⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Gkbkna32.exe
        
        C:\Windows\system32\Gkbkna32.exe
        49⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Ganppk32.exe
        
        C:\Windows\system32\Ganppk32.exe
        50⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Gkgeipah.exe
        
        C:\Windows\system32\Gkgeipah.exe
        51⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Gpcmagpo.exe
        
        C:\Windows\system32\Gpcmagpo.exe
        52⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Gilajmfp.exe
        
        C:\Windows\system32\Gilajmfp.exe
        53⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Gjnnoldm.exe
        
        C:\Windows\system32\Gjnnoldm.exe
        54⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Hknkiokp.exe
        
        C:\Windows\system32\Hknkiokp.exe
        55⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Hkpgooim.exe
        
        C:\Windows\system32\Hkpgooim.exe
        56⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Hhdhhchf.exe
        
        C:\Windows\system32\Hhdhhchf.exe
        57⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Hjedpkne.exe
        
        C:\Windows\system32\Hjedpkne.exe
        58⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Hhfenc32.exe
        
        C:\Windows\system32\Hhfenc32.exe
        59⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Hncmfj32.exe
        
        C:\Windows\system32\Hncmfj32.exe
        60⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Hhiacb32.exe
        
        C:\Windows\system32\Hhiacb32.exe
        61⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Idpbhc32.exe
        
        C:\Windows\system32\Idpbhc32.exe
        62⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Inhgaipf.exe
        
        C:\Windows\system32\Inhgaipf.exe
        63⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Iklgkmop.exe
        
        C:\Windows\system32\Iklgkmop.exe
        64⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Iddlccfp.exe
        
        C:\Windows\system32\Iddlccfp.exe
        65⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Inmplh32.exe
        
        C:\Windows\system32\Inmplh32.exe
        66⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Ikqqfm32.exe
        
        C:\Windows\system32\Ikqqfm32.exe
        67⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Iqmincia.exe
        
        C:\Windows\system32\Iqmincia.exe
        68⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Ikcmklih.exe
        
        C:\Windows\system32\Ikcmklih.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Jqpfccgo.exe
        
        C:\Windows\system32\Jqpfccgo.exe
        70⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Jkejalge.exe
        
        C:\Windows\system32\Jkejalge.exe
        71⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Jdnnjane.exe
        
        C:\Windows\system32\Jdnnjane.exe
        72⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Jkggfl32.exe
        
        C:\Windows\system32\Jkggfl32.exe
        73⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Jhlgpp32.exe
        
        C:\Windows\system32\Jhlgpp32.exe
        74⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Jnhphg32.exe
        
        C:\Windows\system32\Jnhphg32.exe
        75⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Jdbheajp.exe
        
        C:\Windows\system32\Jdbheajp.exe
        76⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Jjopmh32.exe
        
        C:\Windows\system32\Jjopmh32.exe
        77⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Knmicfnn.exe
        
        C:\Windows\system32\Knmicfnn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Kdgapp32.exe
        
        C:\Windows\system32\Kdgapp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7628

C:\Windows\SysWOW64\Kjdjhgdb.exe
C:\Windows\system32\Kjdjhgdb.exe
1⤵
- Drops file in System32 directory
PID:2968
- C:\Windows\SysWOW64\Kqnbea32.exe
  C:\Windows\system32\Kqnbea32.exe
  2⤵
  - Modifies registry class
  PID:7044
- - C:\Windows\SysWOW64\Kghjakbl.exe
    C:\Windows\system32\Kghjakbl.exe
    3⤵
    PID:7036
  - - C:\Windows\SysWOW64\Kjffngap.exe
      C:\Windows\system32\Kjffngap.exe
      4⤵
      Modifies registry class
      PID:7708
    - - C:\Windows\SysWOW64\Kqpoja32.exe
        
        C:\Windows\system32\Kqpoja32.exe
        5⤵
        Drops file in System32 directory
        
        PID:7264
      - C:\Windows\SysWOW64\Kkechjib.exe
        
        C:\Windows\system32\Kkechjib.exe
        6⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Kabkpqgj.exe
        
        C:\Windows\system32\Kabkpqgj.exe
        7⤵
        
        PID:1068

C:\Windows\SysWOW64\Kglcmk32.exe
C:\Windows\system32\Kglcmk32.exe
1⤵
PID:3560
- C:\Windows\SysWOW64\Lkjlciem.exe
  C:\Windows\system32\Lkjlciem.exe
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\Lagekp32.exe
    C:\Windows\system32\Lagekp32.exe
    3⤵
    PID:7820
  - - C:\Windows\SysWOW64\Ljpideje.exe
      C:\Windows\system32\Ljpideje.exe
      4⤵
      PID:7524
    - - C:\Windows\SysWOW64\Leenanik.exe
        
        C:\Windows\system32\Leenanik.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
      - C:\Windows\SysWOW64\Ljbfiegb.exe
        
        C:\Windows\system32\Ljbfiegb.exe
        6⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Licfgmpa.exe
        
        C:\Windows\system32\Licfgmpa.exe
        7⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ljdboe32.exe
        
        C:\Windows\system32\Ljdboe32.exe
        8⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lejgln32.exe
        
        C:\Windows\system32\Lejgln32.exe
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Llcoihmb.exe
        
        C:\Windows\system32\Llcoihmb.exe
        10⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Lelcbmcc.exe
        
        C:\Windows\system32\Lelcbmcc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4000
        
        C:\Windows\SysWOW64\Mlflog32.exe
        
        C:\Windows\system32\Mlflog32.exe
        12⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Mhmmchpd.exe
        
        C:\Windows\system32\Mhmmchpd.exe
        13⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Maealn32.exe
        
        C:\Windows\system32\Maealn32.exe
        14⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Mlkejgfj.exe
        
        C:\Windows\system32\Mlkejgfj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Magnbnea.exe
        
        C:\Windows\system32\Magnbnea.exe
        16⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\Mnknkbdk.exe
        
        C:\Windows\system32\Mnknkbdk.exe
        17⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Meefhl32.exe
        
        C:\Windows\system32\Meefhl32.exe
        18⤵
        
        PID:9312

C:\Windows\SysWOW64\Mjbopcip.exe
C:\Windows\system32\Mjbopcip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9348
- C:\Windows\SysWOW64\Mbigapjb.exe
  C:\Windows\system32\Mbigapjb.exe
  2⤵
  PID:9392
- - C:\Windows\SysWOW64\Niconj32.exe
    C:\Windows\system32\Niconj32.exe
    3⤵
    PID:9436
  - - C:\Windows\SysWOW64\Nblcgpho.exe
      C:\Windows\system32\Nblcgpho.exe
      4⤵
      PID:9484
    - - C:\Windows\SysWOW64\Nldhpeop.exe
        
        C:\Windows\system32\Nldhpeop.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9532
      - C:\Windows\SysWOW64\Naaqhlmg.exe
        
        C:\Windows\system32\Naaqhlmg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9572
        
        C:\Windows\SysWOW64\Nhkief32.exe
        
        C:\Windows\system32\Nhkief32.exe
        7⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Noeaaqlq.exe
        
        C:\Windows\system32\Noeaaqlq.exe
        8⤵
        Drops file in System32 directory
        
        PID:9660
        
        C:\Windows\SysWOW64\Neoink32.exe
        
        C:\Windows\system32\Neoink32.exe
        9⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Nklbfaae.exe
        
        C:\Windows\system32\Nklbfaae.exe
        10⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Naejcl32.exe
        
        C:\Windows\system32\Naejcl32.exe
        11⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Nknolaob.exe
        
        C:\Windows\system32\Nknolaob.exe
        12⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Nahgik32.exe
        
        C:\Windows\system32\Nahgik32.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9916
        
        C:\Windows\SysWOW64\Ohboeenl.exe
        
        C:\Windows\system32\Ohboeenl.exe
        14⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Oolgbpei.exe
        
        C:\Windows\system32\Oolgbpei.exe
        15⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Oiakpheo.exe
        
        C:\Windows\system32\Oiakpheo.exe
        16⤵
        Modifies registry class
        
        PID:10068
        
        C:\Windows\SysWOW64\Oampdkbj.exe
        
        C:\Windows\system32\Oampdkbj.exe
        17⤵
        Drops file in System32 directory
        
        PID:10108
        
        C:\Windows\SysWOW64\Olbdacbp.exe
        
        C:\Windows\system32\Olbdacbp.exe
        18⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Oifekg32.exe
        
        C:\Windows\system32\Oifekg32.exe
        19⤵
        Drops file in System32 directory
        
        PID:10212
        
        C:\Windows\SysWOW64\Okgabpgg.exe
        
        C:\Windows\system32\Okgabpgg.exe
        20⤵
        Drops file in System32 directory
        
        PID:8076
        
        C:\Windows\SysWOW64\Oihapg32.exe
        
        C:\Windows\system32\Oihapg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9252
        
        C:\Windows\SysWOW64\Ooejhn32.exe
        
        C:\Windows\system32\Ooejhn32.exe
        22⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Plijbblh.exe
        
        C:\Windows\system32\Plijbblh.exe
        23⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Pimkkfka.exe
        
        C:\Windows\system32\Pimkkfka.exe
        24⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Pedlpgqe.exe
        
        C:\Windows\system32\Pedlpgqe.exe
        25⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Polpim32.exe
        
        C:\Windows\system32\Polpim32.exe
        26⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Phddbbnf.exe
        
        C:\Windows\system32\Phddbbnf.exe
        27⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Pehekgmp.exe
        
        C:\Windows\system32\Pehekgmp.exe
        28⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Qaofphbd.exe
        
        C:\Windows\system32\Qaofphbd.exe
        29⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Qlejnqbj.exe
        
        C:\Windows\system32\Qlejnqbj.exe
        30⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Qaabfgpa.exe
        
        C:\Windows\system32\Qaabfgpa.exe
        31⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Acaopjgd.exe
        
        C:\Windows\system32\Acaopjgd.exe
        32⤵
        Modifies registry class
        
        PID:9944
        
        C:\Windows\SysWOW64\Aljcip32.exe
        
        C:\Windows\system32\Aljcip32.exe
        33⤵
        Drops file in System32 directory
        
        PID:10004
        
        C:\Windows\SysWOW64\Aaflag32.exe
        
        C:\Windows\system32\Aaflag32.exe
        34⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Ahpdnaci.exe
        
        C:\Windows\system32\Ahpdnaci.exe
        35⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Aaiiffjj.exe
        
        C:\Windows\system32\Aaiiffjj.exe
        36⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Alnmdojp.exe
        
        C:\Windows\system32\Alnmdojp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10220
        
        C:\Windows\SysWOW64\Afinbdon.exe
        
        C:\Windows\system32\Afinbdon.exe
        38⤵
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Alcfoo32.exe
        
        C:\Windows\system32\Alcfoo32.exe
        39⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Bjgghc32.exe
        
        C:\Windows\system32\Bjgghc32.exe
        40⤵
        Drops file in System32 directory
        
        PID:9360
        
        C:\Windows\SysWOW64\Bhldio32.exe
        
        C:\Windows\system32\Bhldio32.exe
        41⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Bjlpcbqo.exe
        
        C:\Windows\system32\Bjlpcbqo.exe
        42⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Bbgehd32.exe
        
        C:\Windows\system32\Bbgehd32.exe
        43⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Bfenncdp.exe
        
        C:\Windows\system32\Bfenncdp.exe
        44⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Combgh32.exe
        
        C:\Windows\system32\Combgh32.exe
        45⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Cmabpmjj.exe
        
        C:\Windows\system32\Cmabpmjj.exe
        46⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Cbnkhcha.exe
        
        C:\Windows\system32\Cbnkhcha.exe
        47⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Ckfpai32.exe
        
        C:\Windows\system32\Ckfpai32.exe
        48⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\Cjgpoq32.exe
        
        C:\Windows\system32\Cjgpoq32.exe
        49⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Ccpdhfmb.exe
        
        C:\Windows\system32\Ccpdhfmb.exe
        50⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Cofemg32.exe
        
        C:\Windows\system32\Cofemg32.exe
        51⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Dkmebh32.exe
        
        C:\Windows\system32\Dkmebh32.exe
        52⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Dcgjie32.exe
        
        C:\Windows\system32\Dcgjie32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Dcigneeg.exe
        
        C:\Windows\system32\Dcigneeg.exe
        54⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Dmdhmj32.exe
        
        C:\Windows\system32\Dmdhmj32.exe
        55⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Djhifnho.exe
        
        C:\Windows\system32\Djhifnho.exe
        56⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Epdaneff.exe
        
        C:\Windows\system32\Epdaneff.exe
        57⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Elkbcf32.exe
        
        C:\Windows\system32\Elkbcf32.exe
        58⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Epikid32.exe
        
        C:\Windows\system32\Epikid32.exe
        59⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Fmbdnhme.exe
        
        C:\Windows\system32\Fmbdnhme.exe
        60⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Fjfegl32.exe
        
        C:\Windows\system32\Fjfegl32.exe
        61⤵
        
        PID:2736

C:\Windows\SysWOW64\Fbajlo32.exe
C:\Windows\system32\Fbajlo32.exe
1⤵
PID:7376

C:\Windows\SysWOW64\Gpimflqb.exe
C:\Windows\system32\Gpimflqb.exe
1⤵
PID:5640
- C:\Windows\SysWOW64\Gmmmoppl.exe
  C:\Windows\system32\Gmmmoppl.exe
  2⤵
  PID:7248

C:\Windows\SysWOW64\Glbjpmdd.exe
C:\Windows\system32\Glbjpmdd.exe
1⤵
PID:5984
- C:\Windows\SysWOW64\Gihgoq32.exe
  C:\Windows\system32\Gihgoq32.exe
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\Geohdago.exe
    C:\Windows\system32\Geohdago.exe
    3⤵
    PID:5940
  - - C:\Windows\SysWOW64\Hpdlajfe.exe
      C:\Windows\system32\Hpdlajfe.exe
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\Headjael.exe
        
        C:\Windows\system32\Headjael.exe
        5⤵
        
        PID:4428

C:\Windows\SysWOW64\Gehbcb32.exe
C:\Windows\system32\Gehbcb32.exe
1⤵
PID:680

C:\Windows\SysWOW64\Ofqnlplf.exe
C:\Windows\system32\Ofqnlplf.exe
1⤵
- Drops file in System32 directory
PID:5488
- C:\Windows\SysWOW64\Obnebp32.exe
  C:\Windows\system32\Obnebp32.exe
  2⤵
  PID:6412
- - C:\Windows\SysWOW64\Pcpnab32.exe
    C:\Windows\system32\Pcpnab32.exe
    3⤵
    PID:3944
  - - C:\Windows\SysWOW64\Abonimmp.exe
      C:\Windows\system32\Abonimmp.exe
      4⤵
      PID:2504

C:\Windows\SysWOW64\Aabkldcl.exe
C:\Windows\system32\Aabkldcl.exe
1⤵
PID:6644
- C:\Windows\SysWOW64\Aimoqgqg.exe
  C:\Windows\system32\Aimoqgqg.exe
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 408
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Program crash
    PID:9868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5632 -ip 5632
1⤵
PID:4160

C:\Windows\system32\usoclient.exe
C:\Windows\system32\usoclient.exe StartScan
1⤵
- Modifies registry class
PID:6704

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anjpeelk.exe

Filesize
430KB

MD5
065bf61ac229759aa6a13101d848c828

SHA1
24d48d1dcf1b6ed5203c8563fa04aee60493ed8a

SHA256
89d0e6fee72f61e5ee06a0564c6b9f6c60dda8acb7a42168e54f05527caa0d12

SHA512
9e62425e6212df67c2e94bbe5c7b1c07f284351b00e3edb8bcdc1496aa3556a45999afd9d4e278c43b19368eb5b7398b609297893d5a88ff6407ed7cf87f1acf

Download Submit
C:\Windows\SysWOW64\Anjpeelk.exe

Filesize
430KB

MD5
065bf61ac229759aa6a13101d848c828

SHA1
24d48d1dcf1b6ed5203c8563fa04aee60493ed8a

SHA256
89d0e6fee72f61e5ee06a0564c6b9f6c60dda8acb7a42168e54f05527caa0d12

SHA512
9e62425e6212df67c2e94bbe5c7b1c07f284351b00e3edb8bcdc1496aa3556a45999afd9d4e278c43b19368eb5b7398b609297893d5a88ff6407ed7cf87f1acf

Download Submit
C:\Windows\SysWOW64\Anqfepaj.exe

Filesize
430KB

MD5
cd86f49e929fd3fe137a1beaf54e220f

SHA1
900a1e4fffe57e6958cbbcb55a4d4e4dbd8e0db9

SHA256
cab5f0fa025eefda7c72309b7da3d287d3b6ff9fb14eacde5918f8431de832dc

SHA512
711fa0f23417a7c974b0363e98983b00c93fde0924a48cfe887bac8bc121f599e34219ea4506976cd3ee2bf159eb3ebcafe8a6019ba2d31d33306847235cbf28

Download Submit
C:\Windows\SysWOW64\Bdfnmhnj.exe

Filesize
430KB

MD5
40164432814b5cb5156dd63dfa17eb10

SHA1
044a7b9d91a8a728e8b5cc37aa83d001dab834f1

SHA256
3370083ba64c23c315632f336dfefee4d577f15fbcc94a3134de983a104ff845

SHA512
dcba1af559ef87dd9eb953caa6dc82ae5984d248063391f31618ff2d45040a532335c9d536c12cd9a87ebb175c8b4e5a265d1d4c7fdf4b4bcb2d00337916de21

Download Submit
C:\Windows\SysWOW64\Bhblfpng.exe

Filesize
430KB

MD5
07c973705e9f4e800d53dd4259d005a2

SHA1
c77f6f3b73f5c56f522414708a235eca9dd1ad03

SHA256
b441cddc4231edda5a8e16c52667210f8e9dc2335d730361c44c9d85a255e062

SHA512
31eea53e8d42c6d2cf863c31b7e6fcff4e303a5ead36a5ce2d41f94f4d0d585a10b67a3765f1279c185102c07c4291e98a76c549dd04c3993fbc0cb0fd8fde65

Download Submit
C:\Windows\SysWOW64\Bjmpfdhb.exe

Filesize
430KB

MD5
d22ae63026ac6b0e7c1613a570483e81

SHA1
b3064dc551083550bdd4a25b52e456164764632f

SHA256
524fcd8a7f77ee4b7c5569594dda93135f5542a3e37793055ab8373223127ccb

SHA512
b31e2dc592169f053f89f8741d2e9c40d34f467e997407fc2ca024ac96693b419186d75f0782d9cc28bd2339f8e6f86637a7b1cd6215f5239f6ab1b872f0649c

Download Submit
C:\Windows\SysWOW64\Bjmpfdhb.exe

Filesize
430KB

MD5
d22ae63026ac6b0e7c1613a570483e81

SHA1
b3064dc551083550bdd4a25b52e456164764632f

SHA256
524fcd8a7f77ee4b7c5569594dda93135f5542a3e37793055ab8373223127ccb

SHA512
b31e2dc592169f053f89f8741d2e9c40d34f467e997407fc2ca024ac96693b419186d75f0782d9cc28bd2339f8e6f86637a7b1cd6215f5239f6ab1b872f0649c

Download Submit
C:\Windows\SysWOW64\Bqbohocd.exe

Filesize
430KB

MD5
6437da313fe08711ea272bf17094d4cb

SHA1
9ba7e1265109f2afbf1fcd9affb52f28d951a38f

SHA256
6f5ce8c63082a7278c025dd2d280c913efc01e6572e53a6ee3bfe6b2107888d3

SHA512
35ac52bee21b3d5cb30a4e36148bc3720ad20b507062fce023927f671b94ff424617b34d6b76b3d772724a794f534fc5f4d1620b2678facf045d2ad18df76455

Download Submit
C:\Windows\SysWOW64\Bqbohocd.exe

Filesize
430KB

MD5
6437da313fe08711ea272bf17094d4cb

SHA1
9ba7e1265109f2afbf1fcd9affb52f28d951a38f

SHA256
6f5ce8c63082a7278c025dd2d280c913efc01e6572e53a6ee3bfe6b2107888d3

SHA512
35ac52bee21b3d5cb30a4e36148bc3720ad20b507062fce023927f671b94ff424617b34d6b76b3d772724a794f534fc5f4d1620b2678facf045d2ad18df76455

Download Submit
C:\Windows\SysWOW64\Cigcjj32.exe

Filesize
430KB

MD5
cea9aa7e98fdddccfbcc883ec11f5f2f

SHA1
748d156aff8d9e4e167a31ad1297b331630707c6

SHA256
f4ae3c88bb4a0b7f0ea74c1f13c4facdbea72c10f4d0eea4d0ed7abf4bb27c77

SHA512
7bc11f470d0e3273b4adb9884072ba4c6e3ed677f4243b3ebc1f75263f0d5c4ad1a9e3b94169433866c3feef97a81502dba3b389c325de493beec1201e2337b0

Download Submit
C:\Windows\SysWOW64\Cigcjj32.exe

Filesize
430KB

MD5
cea9aa7e98fdddccfbcc883ec11f5f2f

SHA1
748d156aff8d9e4e167a31ad1297b331630707c6

SHA256
f4ae3c88bb4a0b7f0ea74c1f13c4facdbea72c10f4d0eea4d0ed7abf4bb27c77

SHA512
7bc11f470d0e3273b4adb9884072ba4c6e3ed677f4243b3ebc1f75263f0d5c4ad1a9e3b94169433866c3feef97a81502dba3b389c325de493beec1201e2337b0

Download Submit
C:\Windows\SysWOW64\Cjpllgme.exe

Filesize
430KB

MD5
2df72e0ab3f598fef4acf7ea19ac6690

SHA1
8a7cff3c4ba3e19af9d86bb6b4af4bd69ed38b37

SHA256
fed73a7337abab679dd8ecb4e1797f97996d03780e6c834c19cab9a924ca6a01

SHA512
c134912725544acee9c4fbade9b3f00e7840720726e38c8f2310cd3827495ea6c5be4581cd1294826a5588dbd68bc8172f3a3c40d374fcd2651e3455cac3f9d2

Download Submit
C:\Windows\SysWOW64\Cklffq32.exe

Filesize
430KB

MD5
132712a387a929acdacbe70a2f1c08bb

SHA1
284051cf27851be5aa4cc7385f123dc8021b7f92

SHA256
7126d998c3023d67cb18b7da61cd191d4eb657af67edfc7fda10cf6da775f45f

SHA512
e5012066443146a9b9b4be1eeacc97d895112b0495be4272e860fb169e04f1fb3c245c92f37add4c4a68fd788611146b38dfefc50d99f40b252c63fc9b14470f

Download Submit
C:\Windows\SysWOW64\Cnkilbni.exe

Filesize
430KB

MD5
dd9d3ddf0d64aebfc1297389e7121d4a

SHA1
c239e77c4e63a8069a7fbaa1899e8a2ca9a8e651

SHA256
ef576be464650cda689e60b7a59adb00a2218bdf48d1fed8475c9981e402bcb9

SHA512
149887943eded41a5fda4b96c8632cee3fbf0235b1e8840094970920262c076425c976e7a43dc0d163fc512844b4ddfe889242df65533ba05217b385dab8c320

Download Submit
C:\Windows\SysWOW64\Cnkilbni.exe

Filesize
430KB

MD5
dd9d3ddf0d64aebfc1297389e7121d4a

SHA1
c239e77c4e63a8069a7fbaa1899e8a2ca9a8e651

SHA256
ef576be464650cda689e60b7a59adb00a2218bdf48d1fed8475c9981e402bcb9

SHA512
149887943eded41a5fda4b96c8632cee3fbf0235b1e8840094970920262c076425c976e7a43dc0d163fc512844b4ddfe889242df65533ba05217b385dab8c320

Download Submit
C:\Windows\SysWOW64\Dbdano32.exe

Filesize
430KB

MD5
132f8a78b4fc57cb3d55ca16d9763be3

SHA1
f90b0a36dc898bc9a87587e99b1d46d65b82a636

SHA256
94c96ffcd9e62a4bfae015ddfc3b9ac0ef825dbe11f0a04058327e45e00a82d5

SHA512
7c4eb77898a6fcb3c7f2b9a3e3a134519e4f4571410d9628290818230ef6be2213eb469ea58b1d258d3c7a376be1eccad2256f1e85263719ed84ef9625e399c3

Download Submit
C:\Windows\SysWOW64\Dbdano32.exe

Filesize
430KB

MD5
132f8a78b4fc57cb3d55ca16d9763be3

SHA1
f90b0a36dc898bc9a87587e99b1d46d65b82a636

SHA256
94c96ffcd9e62a4bfae015ddfc3b9ac0ef825dbe11f0a04058327e45e00a82d5

SHA512
7c4eb77898a6fcb3c7f2b9a3e3a134519e4f4571410d9628290818230ef6be2213eb469ea58b1d258d3c7a376be1eccad2256f1e85263719ed84ef9625e399c3

Download Submit
C:\Windows\SysWOW64\Dbijinfl.exe

Filesize
430KB

MD5
3c78701dce588e2e5721c87e2066f5a8

SHA1
51d0f8bb3936749ecee6e2a30677cd89b93f2c9b

SHA256
be3a43ecb1f312035ff27591bfee1643a566ece620dce06583526fc9212b83b2

SHA512
64f89568656637a71248191f77e2e3a93102047d106114efb5ca86db9d94969334ac401f10814ccb673e636283d89fea1e89d1efabddb5e863bce747933a8cf3

Download Submit
C:\Windows\SysWOW64\Dbijinfl.exe

Filesize
430KB

MD5
3c78701dce588e2e5721c87e2066f5a8

SHA1
51d0f8bb3936749ecee6e2a30677cd89b93f2c9b

SHA256
be3a43ecb1f312035ff27591bfee1643a566ece620dce06583526fc9212b83b2

SHA512
64f89568656637a71248191f77e2e3a93102047d106114efb5ca86db9d94969334ac401f10814ccb673e636283d89fea1e89d1efabddb5e863bce747933a8cf3

Download Submit
C:\Windows\SysWOW64\Dlhlleeh.exe

Filesize
430KB

MD5
e756a0333cec48def89357f4fd6f529e

SHA1
cce722ac24063441fea0f6064fca8b383a39459f

SHA256
ae5dd8972b62ff4d4477a583990c24150aa831ea540175215135529e04e4f98f

SHA512
a04be8e6e93cc9286dd9c403d2eaa6bfeb6c508c32b77626e99b818bc6b5380a0194182961e65caa1d9961f2b9d5df769a1011d29f95853a1eef388481f11a39

Download Submit
C:\Windows\SysWOW64\Dlhlleeh.exe

Filesize
430KB

MD5
e756a0333cec48def89357f4fd6f529e

SHA1
cce722ac24063441fea0f6064fca8b383a39459f

SHA256
ae5dd8972b62ff4d4477a583990c24150aa831ea540175215135529e04e4f98f

SHA512
a04be8e6e93cc9286dd9c403d2eaa6bfeb6c508c32b77626e99b818bc6b5380a0194182961e65caa1d9961f2b9d5df769a1011d29f95853a1eef388481f11a39

Download Submit
C:\Windows\SysWOW64\Eeomfioh.exe

Filesize
430KB

MD5
a82281dc5fa0a176bef40b8bf1439ff7

SHA1
baebadb6aad1945890718d799e6931a30f8fe093

SHA256
aa8a695777dd89115c9a283981cf3932c5a52ff4210fd62f0f4e6354d921ff58

SHA512
12635361aed5bfcd7044f153c1a4ed4f3469ad5bdc501e2995d78b94190524655aee566966fe904c8dd5e3c3aa5e234f96fe2643373a6908c15b55a7c5c10c87

Download Submit
C:\Windows\SysWOW64\Eeomfioh.exe

Filesize
430KB

MD5
a82281dc5fa0a176bef40b8bf1439ff7

SHA1
baebadb6aad1945890718d799e6931a30f8fe093

SHA256
aa8a695777dd89115c9a283981cf3932c5a52ff4210fd62f0f4e6354d921ff58

SHA512
12635361aed5bfcd7044f153c1a4ed4f3469ad5bdc501e2995d78b94190524655aee566966fe904c8dd5e3c3aa5e234f96fe2643373a6908c15b55a7c5c10c87

Download Submit
C:\Windows\SysWOW64\Ejglcq32.exe

Filesize
430KB

MD5
3c78701dce588e2e5721c87e2066f5a8

SHA1
51d0f8bb3936749ecee6e2a30677cd89b93f2c9b

SHA256
be3a43ecb1f312035ff27591bfee1643a566ece620dce06583526fc9212b83b2

SHA512
64f89568656637a71248191f77e2e3a93102047d106114efb5ca86db9d94969334ac401f10814ccb673e636283d89fea1e89d1efabddb5e863bce747933a8cf3

Download Submit
C:\Windows\SysWOW64\Ejglcq32.exe

Filesize
430KB

MD5
a770a598f7e3824ce8fb78f0a84645aa

SHA1
9e1979528357a0d405cdba3e5b0c87bbc88f585d

SHA256
eb5005915a037856213f7d0d8a84b2f0331201240d8d1e58432d444f6778e630

SHA512
d53cbe0c48701a47f66811c583bd5bb138da53b84276e21ebe67e1f6bb1e3402f663fabff6aad005f3819fd403076e056c8e7eaa723aaff5025ce3e2b106967c

Download Submit
C:\Windows\SysWOW64\Ejglcq32.exe

Filesize
430KB

MD5
a770a598f7e3824ce8fb78f0a84645aa

SHA1
9e1979528357a0d405cdba3e5b0c87bbc88f585d

SHA256
eb5005915a037856213f7d0d8a84b2f0331201240d8d1e58432d444f6778e630

SHA512
d53cbe0c48701a47f66811c583bd5bb138da53b84276e21ebe67e1f6bb1e3402f663fabff6aad005f3819fd403076e056c8e7eaa723aaff5025ce3e2b106967c

Download Submit
C:\Windows\SysWOW64\Fbqiak32.exe

Filesize
430KB

MD5
ee5b32b88d4ae6ebee8b47ba87c26efd

SHA1
970cefd0191dc9358bf8f09630f6af9ca1cb1ddb

SHA256
14f23b3be378b9a0a0b5d3f2aa05a1ed820ea9d9bd441a5f009f6fa60c2959a3

SHA512
1ff099f0a429b16b5f4104486d45870875603d12e70b7834272502ebe9737f14d940dcc46d0ec952f31b00484611028428fa4f7239156fc5de9e5ac14fd3b2a4

Download Submit
C:\Windows\SysWOW64\Fbqiak32.exe

Filesize
430KB

MD5
ee5b32b88d4ae6ebee8b47ba87c26efd

SHA1
970cefd0191dc9358bf8f09630f6af9ca1cb1ddb

SHA256
14f23b3be378b9a0a0b5d3f2aa05a1ed820ea9d9bd441a5f009f6fa60c2959a3

SHA512
1ff099f0a429b16b5f4104486d45870875603d12e70b7834272502ebe9737f14d940dcc46d0ec952f31b00484611028428fa4f7239156fc5de9e5ac14fd3b2a4

Download Submit
C:\Windows\SysWOW64\Folkjnbc.exe

Filesize
430KB

MD5
786eab5df946ee8e1f91e0d9913877a6

SHA1
2b2fb18abac4bb1336544219fe940147a065e01a

SHA256
9126d9479cad0c70261f60487f35d75b3e8aab06a684fb887bc3e043f3897926

SHA512
ce495d27e705447ad6a1403f738b2bd6262ef4811560e44c37dd17dbd9335a22f0f52457ba2d6af53d1db7b3c496fe576acf2c105d217547b3fce3494fdf9b76

Download Submit
C:\Windows\SysWOW64\Folkjnbc.exe

Filesize
430KB

MD5
786eab5df946ee8e1f91e0d9913877a6

SHA1
2b2fb18abac4bb1336544219fe940147a065e01a

SHA256
9126d9479cad0c70261f60487f35d75b3e8aab06a684fb887bc3e043f3897926

SHA512
ce495d27e705447ad6a1403f738b2bd6262ef4811560e44c37dd17dbd9335a22f0f52457ba2d6af53d1db7b3c496fe576acf2c105d217547b3fce3494fdf9b76

Download Submit
C:\Windows\SysWOW64\Geqlhp32.exe

Filesize
430KB

MD5
8203007aabf99c2c3d8e612e2b42d5ad

SHA1
45c190e4dbbe8447df5d2d03be59586d3295d530

SHA256
4aa9707e43aa13b13fd98a5544ee4da3375fb8347dd2f789dbb6350e1fd779c2

SHA512
f9b5e2ef251088a88c3733bcdc9481a8a155da63eb449b6e2dc964aefeb386933f10db55c0fa2db56481320477a8ffb03504718bcc52033849b59b9bc118edcc

Download Submit
C:\Windows\SysWOW64\Gklnem32.exe

Filesize
430KB

MD5
35d28fe1d2a0541c317b336403c2c5a8

SHA1
171af9755ab4abec6d2f8699a020713bebb01bd1

SHA256
b3a3c7831ef10d85a2e0dbacf0902ebc971b858957931c303612511b7ca8870b

SHA512
d4dc7332af0af9486df05bb3b31772d3c5c213bdff9e3d1ded6590962f08a9c534b4d53e867a9af3dcbd1a9c5fe3b7ebb410c94aa4ea1bb31389004da9c2bf1d

Download Submit
C:\Windows\SysWOW64\Gklnem32.exe

Filesize
430KB

MD5
35d28fe1d2a0541c317b336403c2c5a8

SHA1
171af9755ab4abec6d2f8699a020713bebb01bd1

SHA256
b3a3c7831ef10d85a2e0dbacf0902ebc971b858957931c303612511b7ca8870b

SHA512
d4dc7332af0af9486df05bb3b31772d3c5c213bdff9e3d1ded6590962f08a9c534b4d53e867a9af3dcbd1a9c5fe3b7ebb410c94aa4ea1bb31389004da9c2bf1d

Download Submit
C:\Windows\SysWOW64\Gkqhpmkg.exe

Filesize
430KB

MD5
17f0ba53021e3bb7b668392cc49b1d78

SHA1
869111194e0d8072c8f789d06a9f6bd4d179e79c

SHA256
c08c6bfe639691bbc4b7df6818ca4026fc69cc906cc36f9677ed7dea1b138409

SHA512
2b41af4f9f33d28949c87fe02330716a5044cc2f789b2fb46e07144496caa1cb8b1f092da4f834346257278a6e60ec2e33421b2d4351af8f9fececfd75d8282e

Download Submit
C:\Windows\SysWOW64\Gkqhpmkg.exe

Filesize
430KB

MD5
17f0ba53021e3bb7b668392cc49b1d78

SHA1
869111194e0d8072c8f789d06a9f6bd4d179e79c

SHA256
c08c6bfe639691bbc4b7df6818ca4026fc69cc906cc36f9677ed7dea1b138409

SHA512
2b41af4f9f33d28949c87fe02330716a5044cc2f789b2fb46e07144496caa1cb8b1f092da4f834346257278a6e60ec2e33421b2d4351af8f9fececfd75d8282e

Download Submit
C:\Windows\SysWOW64\Hleneo32.exe

Filesize
430KB

MD5
17f0ba53021e3bb7b668392cc49b1d78

SHA1
869111194e0d8072c8f789d06a9f6bd4d179e79c

SHA256
c08c6bfe639691bbc4b7df6818ca4026fc69cc906cc36f9677ed7dea1b138409

SHA512
2b41af4f9f33d28949c87fe02330716a5044cc2f789b2fb46e07144496caa1cb8b1f092da4f834346257278a6e60ec2e33421b2d4351af8f9fececfd75d8282e

Download Submit
C:\Windows\SysWOW64\Hleneo32.exe

Filesize
430KB

MD5
e306cc6d2696f75696d97dde2e05c77d

SHA1
3f685e53764c29b459e5e61615bd60b028039120

SHA256
0680d6c1678725ad3c9ecccd2f14e47af285bfc9a22e2909da9055734349fa2c

SHA512
a6fc35197dde97838eee13ecebe630a47a526d927efb041fe83f92bdd46b32c5c5b3a6a0e5f1f8f5b45605b5a28ecff8c9914adf47a623c82554009a6f13ba2c

Download Submit
C:\Windows\SysWOW64\Hleneo32.exe

Filesize
430KB

MD5
e306cc6d2696f75696d97dde2e05c77d

SHA1
3f685e53764c29b459e5e61615bd60b028039120

SHA256
0680d6c1678725ad3c9ecccd2f14e47af285bfc9a22e2909da9055734349fa2c

SHA512
a6fc35197dde97838eee13ecebe630a47a526d927efb041fe83f92bdd46b32c5c5b3a6a0e5f1f8f5b45605b5a28ecff8c9914adf47a623c82554009a6f13ba2c

Download Submit
C:\Windows\SysWOW64\Hmdlhk32.exe

Filesize
430KB

MD5
99914d0483fd35bbbcf75dcde979cf42

SHA1
9b3ee859fd96278681b2d1adf973604dc4367eba

SHA256
8f5ab53a404b66bb90aa331a76a4981c2c5459a67617d60ce3a41ddb3171be47

SHA512
dbf53a8007620b354560d4e4c0b10f97114a1a3e80cf8af7abe52cac4dddb8178b1a1a98c7e74e8aef6a770a1b1756451a16bf3c6cbce725be54383cfd6916e8

Download Submit
C:\Windows\SysWOW64\Iameid32.exe

Filesize
430KB

MD5
b9750adf2261ada1d24d3d8efc591318

SHA1
701c689f0afb6f1f5e6d733b639943239d664213

SHA256
899cfe5490fb66922552af28874d5fe624625c28db598081b9ed701a0e8a94de

SHA512
afad45d1d75b3a57f61d2755a772e421789673048b40001267f381b701e8c1a3ea6e117a534952d5ae9bc623df6eae0c084652c47da1ef9a62040acf7a193cba

Download Submit
C:\Windows\SysWOW64\Iameid32.exe

Filesize
430KB

MD5
b9750adf2261ada1d24d3d8efc591318

SHA1
701c689f0afb6f1f5e6d733b639943239d664213

SHA256
899cfe5490fb66922552af28874d5fe624625c28db598081b9ed701a0e8a94de

SHA512
afad45d1d75b3a57f61d2755a772e421789673048b40001267f381b701e8c1a3ea6e117a534952d5ae9bc623df6eae0c084652c47da1ef9a62040acf7a193cba

Download Submit
C:\Windows\SysWOW64\Idpbhc32.exe

Filesize
430KB

MD5
06b69d122e1c94293cbea1dd656c4da2

SHA1
8790df2310e99d6733359b2466fd812431a2413f

SHA256
ae4628e857e2af381e2c9f1f0ba1be1a1ef92c7b99874cdeb396aa13b7df6cc1

SHA512
fdb98ca89850749b249ed719dbd2355929c637acd09c7da3b41ae63b0e36cc71d0ee2dcc4e92cb0f38d7df2ec381836c08e4bd8d7e6be4ff1253b18133bbab03

Download Submit
C:\Windows\SysWOW64\Ifnkeb32.exe

Filesize
430KB

MD5
b9750adf2261ada1d24d3d8efc591318

SHA1
701c689f0afb6f1f5e6d733b639943239d664213

SHA256
899cfe5490fb66922552af28874d5fe624625c28db598081b9ed701a0e8a94de

SHA512
afad45d1d75b3a57f61d2755a772e421789673048b40001267f381b701e8c1a3ea6e117a534952d5ae9bc623df6eae0c084652c47da1ef9a62040acf7a193cba

Download Submit
C:\Windows\SysWOW64\Ifnkeb32.exe

Filesize
430KB

MD5
5eecb44a187b815c82b53eb4c2e84400

SHA1
c39d233cf0a7c0ff09bddc54e27e40f9c673e2d4

SHA256
ac846fd2d3db3e142811c937b1ccb26bba33d9d3194a51722fba125ab4397a13

SHA512
f0e1aae9d1c19af58665dc98ee2e6ec0f7d9ea89c325051a7d67aeb6f15c1bf68a1b56eb16601c536d29693eb6000ac0857c7146fd3f3707b43b7ace74b97db2

Download Submit
C:\Windows\SysWOW64\Ifnkeb32.exe

Filesize
430KB

MD5
5eecb44a187b815c82b53eb4c2e84400

SHA1
c39d233cf0a7c0ff09bddc54e27e40f9c673e2d4

SHA256
ac846fd2d3db3e142811c937b1ccb26bba33d9d3194a51722fba125ab4397a13

SHA512
f0e1aae9d1c19af58665dc98ee2e6ec0f7d9ea89c325051a7d67aeb6f15c1bf68a1b56eb16601c536d29693eb6000ac0857c7146fd3f3707b43b7ace74b97db2

Download Submit
C:\Windows\SysWOW64\Jhcmbm32.exe

Filesize
430KB

MD5
1890bba1df63732766864787554beac1

SHA1
9acca9766883fdabd672de019e287ea609bfd185

SHA256
f73d494115c38e010e08c1b20c7c507759e8102189d5bce7a0e9f26dda638b12

SHA512
dbde526698899c7dd983c4af5089a720bc5486768b03c2e5d0f7ff30e51a58c4aacf44ff9bc877ebed2ad8d212ad4d00ee7e512eec48c0ad68e375fbd4db26bb

Download Submit
C:\Windows\SysWOW64\Jhcmbm32.exe

Filesize
430KB

MD5
1890bba1df63732766864787554beac1

SHA1
9acca9766883fdabd672de019e287ea609bfd185

SHA256
f73d494115c38e010e08c1b20c7c507759e8102189d5bce7a0e9f26dda638b12

SHA512
dbde526698899c7dd983c4af5089a720bc5486768b03c2e5d0f7ff30e51a58c4aacf44ff9bc877ebed2ad8d212ad4d00ee7e512eec48c0ad68e375fbd4db26bb

Download Submit
C:\Windows\SysWOW64\Jhejgl32.exe

Filesize
430KB

MD5
e1a4093a2a84a65c2522b9612de4e7b9

SHA1
bab1f14a39b4b91d56552153ed71d0c23cd107af

SHA256
05e9f6d75cc0dc39b036d4c9f22125c140a4a0e08eb5b63dbbc26af4f04970c7

SHA512
f22e9b01dd8a9a7af7c4dddbb92bd68e6be191e8d423a488183dfb7a5b863b09424244ef8a9cf9a59af41ba5d49dd4c4b6d88358faed2f7b034ad3b3ec5e16ed

Download Submit
C:\Windows\SysWOW64\Jhejgl32.exe

Filesize
430KB

MD5
e1a4093a2a84a65c2522b9612de4e7b9

SHA1
bab1f14a39b4b91d56552153ed71d0c23cd107af

SHA256
05e9f6d75cc0dc39b036d4c9f22125c140a4a0e08eb5b63dbbc26af4f04970c7

SHA512
f22e9b01dd8a9a7af7c4dddbb92bd68e6be191e8d423a488183dfb7a5b863b09424244ef8a9cf9a59af41ba5d49dd4c4b6d88358faed2f7b034ad3b3ec5e16ed

Download Submit
C:\Windows\SysWOW64\Jhhgmlli.exe

Filesize
430KB

MD5
3d392e0db64ded54ef34b128d3618997

SHA1
7a2e5fb0a7dcce47e71814c4274361539dfd7207

SHA256
b8baf54cab9d8b726104a003ea52e05e11d78254e11a5b58edfa2ea311e2c272

SHA512
500162eaf25021709c2dd58996b0cc18d6112f7e1a9e6e869ea7ebfbfaadb20d5292ae187154f4102bbf332360709d731b30c4386fd7fa756b0ace8900da4218

Download Submit
C:\Windows\SysWOW64\Jhhgmlli.exe

Filesize
430KB

MD5
3d392e0db64ded54ef34b128d3618997

SHA1
7a2e5fb0a7dcce47e71814c4274361539dfd7207

SHA256
b8baf54cab9d8b726104a003ea52e05e11d78254e11a5b58edfa2ea311e2c272

SHA512
500162eaf25021709c2dd58996b0cc18d6112f7e1a9e6e869ea7ebfbfaadb20d5292ae187154f4102bbf332360709d731b30c4386fd7fa756b0ace8900da4218

Download Submit
C:\Windows\SysWOW64\Jjnqap32.exe

Filesize
430KB

MD5
0540a354e159648df6db689399c63e93

SHA1
97607d140c11b3b67c02d019e45c39ff17c52a35

SHA256
828bc108b8389b32a560d3fd0e17b7b5eee43bc966f4543b2a40a10962c8214c

SHA512
4102cbdb99f091f97a65a0c48e9d86470f513654a388d8d8da6073450b268c7bf3ad0199203d923b0612ef8257778b406a3627281e41e0ac1212573e040a8e4e

Download Submit
C:\Windows\SysWOW64\Jjnqap32.exe

Filesize
430KB

MD5
0540a354e159648df6db689399c63e93

SHA1
97607d140c11b3b67c02d019e45c39ff17c52a35

SHA256
828bc108b8389b32a560d3fd0e17b7b5eee43bc966f4543b2a40a10962c8214c

SHA512
4102cbdb99f091f97a65a0c48e9d86470f513654a388d8d8da6073450b268c7bf3ad0199203d923b0612ef8257778b406a3627281e41e0ac1212573e040a8e4e

Download Submit
C:\Windows\SysWOW64\Kiomnk32.exe

Filesize
430KB

MD5
0115fab761f9c02663941d3bd3fc5cba

SHA1
bd24eab291386f1ac652d0d9a810399773a979db

SHA256
e7aca508b3c171ea6db154c0e1588d8024b758de7e91dc76dfb0523497717fa6

SHA512
55294345988f51a202e7f7a65fe96674d2b6dcc9239e95c1ad6cc40a26d19da5449092a8763a208b3f278e6bf631af5f94c4005096d4ecc4b4cf4c92d735219e

Download Submit
C:\Windows\SysWOW64\Kiomnk32.exe

Filesize
430KB

MD5
0115fab761f9c02663941d3bd3fc5cba

SHA1
bd24eab291386f1ac652d0d9a810399773a979db

SHA256
e7aca508b3c171ea6db154c0e1588d8024b758de7e91dc76dfb0523497717fa6

SHA512
55294345988f51a202e7f7a65fe96674d2b6dcc9239e95c1ad6cc40a26d19da5449092a8763a208b3f278e6bf631af5f94c4005096d4ecc4b4cf4c92d735219e

Download Submit
C:\Windows\SysWOW64\Kjipmoai.exe

Filesize
430KB

MD5
bc5175e2ba27ce8cbc5e9b49c7bd4edc

SHA1
fc360ac0472bee95bebb95e2363580a661dd6e33

SHA256
5242c2d6200719b15a09520d45226a6330a90f4cf7603b23e2a31fffa12eb95d

SHA512
65a674b1b1588c2b67ae78b15dc88e5bfb650ce14aae22c663c2430ac27e693aa2fb62a1527a84997f94dc976a94008a8dd1de4a7e091374b47e93be4165b7d7

Download Submit
C:\Windows\SysWOW64\Kjipmoai.exe

Filesize
430KB

MD5
bc5175e2ba27ce8cbc5e9b49c7bd4edc

SHA1
fc360ac0472bee95bebb95e2363580a661dd6e33

SHA256
5242c2d6200719b15a09520d45226a6330a90f4cf7603b23e2a31fffa12eb95d

SHA512
65a674b1b1588c2b67ae78b15dc88e5bfb650ce14aae22c663c2430ac27e693aa2fb62a1527a84997f94dc976a94008a8dd1de4a7e091374b47e93be4165b7d7

Download Submit
C:\Windows\SysWOW64\Kkabefqp.exe

Filesize
430KB

MD5
0115fab761f9c02663941d3bd3fc5cba

SHA1
bd24eab291386f1ac652d0d9a810399773a979db

SHA256
e7aca508b3c171ea6db154c0e1588d8024b758de7e91dc76dfb0523497717fa6

SHA512
55294345988f51a202e7f7a65fe96674d2b6dcc9239e95c1ad6cc40a26d19da5449092a8763a208b3f278e6bf631af5f94c4005096d4ecc4b4cf4c92d735219e

Download Submit
C:\Windows\SysWOW64\Kkabefqp.exe

Filesize
430KB

MD5
6c95c1851838a93a40d559cbdc440c01

SHA1
6262ea96dad226cabd3de4345cce4226ba1a0e1b

SHA256
c3c70b821070e14c7a1c14ce6d24b758da51b25b2eee77021e66954665486ad2

SHA512
0db1ed6ccc8528529c4f0fad2b267f333ab2d06065efff9559aa0468914ae2e0cec1e1569f4212a8b7e1ee7e8d613ea81d1aa0a8ed8d4f9c7a604a2f7d8d28cb

Download Submit
C:\Windows\SysWOW64\Kkabefqp.exe

Filesize
430KB

MD5
6c95c1851838a93a40d559cbdc440c01

SHA1
6262ea96dad226cabd3de4345cce4226ba1a0e1b

SHA256
c3c70b821070e14c7a1c14ce6d24b758da51b25b2eee77021e66954665486ad2

SHA512
0db1ed6ccc8528529c4f0fad2b267f333ab2d06065efff9559aa0468914ae2e0cec1e1569f4212a8b7e1ee7e8d613ea81d1aa0a8ed8d4f9c7a604a2f7d8d28cb

Download Submit
C:\Windows\SysWOW64\Ldiiio32.exe

Filesize
430KB

MD5
ca8466e3898da382efe2940f2e7af99c

SHA1
fc8f44190705211c61b304db6fc96e19f5a13cd6

SHA256
53cbb6bc80d21b0b62b084e332693805a2cfe90dfa3cdd8c71acef7b885a51c4

SHA512
09f4de297a5e870dccf19a35251dac04d050e519e9f1fca0cdf2f6f9a0ecf306bd401060afd7a12eaae9e71b9dce6ae0b8e69c8d8169a2d063320bec7c8d50e8

Download Submit
C:\Windows\SysWOW64\Ljjicl32.exe

Filesize
430KB

MD5
c4d7171aca487ce6d7355d93101b0499

SHA1
77ebe34bc44dfeb7de04d488919b840511c1fd32

SHA256
8e157f057a7c9d000fb4e27559c85610db30ae00594a818505bbdf8d09d14b94

SHA512
c54eeee936a6672a8b5eb278f2d97c84d22b54f85c220b254a1f0ba4b3bfa5c6372e82465bef40c108e051742e1e365bb5b6b41e49071e4b33ae9fbe892a5de2

Download Submit
C:\Windows\SysWOW64\Ljjicl32.exe

Filesize
430KB

MD5
c4d7171aca487ce6d7355d93101b0499

SHA1
77ebe34bc44dfeb7de04d488919b840511c1fd32

SHA256
8e157f057a7c9d000fb4e27559c85610db30ae00594a818505bbdf8d09d14b94

SHA512
c54eeee936a6672a8b5eb278f2d97c84d22b54f85c220b254a1f0ba4b3bfa5c6372e82465bef40c108e051742e1e365bb5b6b41e49071e4b33ae9fbe892a5de2

Download Submit
C:\Windows\SysWOW64\Lkflpe32.exe

Filesize
430KB

MD5
62a5cc61245ace6745bc70723fb60af5

SHA1
fccf211dfc78580b01dc2a74c42b76465dd21d0a

SHA256
d7d540059af1dc482cac0a66884469dd3b92844e81c29b217c839d9268db240d

SHA512
40ed70526641bbfffb1093b6fa6637b54f4bdd31913ca96e8912d8c4ff91fa6f6154c9829da9494eb83be202f9dab8075b73bdba58964964ef1e0d85af2f3d67

Download Submit
C:\Windows\SysWOW64\Lkflpe32.exe

Filesize
430KB

MD5
62a5cc61245ace6745bc70723fb60af5

SHA1
fccf211dfc78580b01dc2a74c42b76465dd21d0a

SHA256
d7d540059af1dc482cac0a66884469dd3b92844e81c29b217c839d9268db240d

SHA512
40ed70526641bbfffb1093b6fa6637b54f4bdd31913ca96e8912d8c4ff91fa6f6154c9829da9494eb83be202f9dab8075b73bdba58964964ef1e0d85af2f3d67

Download Submit
C:\Windows\SysWOW64\Lkmkfncf.exe

Filesize
430KB

MD5
ccd0f813894dfa038b8ca8b0b710208a

SHA1
ebb6086f52f0bfc39c3393d74bd64bfa3daf8f41

SHA256
d610c9aeb5d810e2792db31fd7c00148e79b56c3d69ce441af07e996fba56eee

SHA512
aaeb4178a4f98b568dcf762898632c4be0cbe66fe9d18f94d8705254ef07dbafa04ced2bee43f697bead0ad691120de13665ca285133c4850826a0d48d327488

Download Submit
C:\Windows\SysWOW64\Llmbqdfb.exe

Filesize
430KB

MD5
d3d5c7e16c19ce43269f977fb4a6f507

SHA1
3e8b083e9a960b7d57ad24edc2c5e564954827e5

SHA256
248c99f59781b5f5dc598417b7c5b693e087fe7e91c68f02a217c39c5a46ff2d

SHA512
5757ebc222101987f69fe08a8096452baa6fd1cb6bdcc33e1c32a9d689d8e929d422e830a8f916cfb74545d9d686b89722d3ae12bff2bcd4914e5d827bf6913a

Download Submit
C:\Windows\SysWOW64\Llmbqdfb.exe

Filesize
430KB

MD5
d3d5c7e16c19ce43269f977fb4a6f507

SHA1
3e8b083e9a960b7d57ad24edc2c5e564954827e5

SHA256
248c99f59781b5f5dc598417b7c5b693e087fe7e91c68f02a217c39c5a46ff2d

SHA512
5757ebc222101987f69fe08a8096452baa6fd1cb6bdcc33e1c32a9d689d8e929d422e830a8f916cfb74545d9d686b89722d3ae12bff2bcd4914e5d827bf6913a

Download Submit
C:\Windows\SysWOW64\Mcggga32.exe

Filesize
430KB

MD5
92426727b6faa005c2f24200f337a1aa

SHA1
27843a68e03d7099759f4b523ad49e305ca30154

SHA256
a4782923face03395500904497dae5b75fedf91e4ba381e9683f61f53a8360ef

SHA512
82ce3b4b54aee5e708c6988e634d78ce8173153dfeed23be2fc287a7638a2545fad600cc60f172286d1c3fa7a6422c6b9a3fcdc18ac380c34958ee349061f568

Download Submit
C:\Windows\SysWOW64\Mcggga32.exe

Filesize
430KB

MD5
92426727b6faa005c2f24200f337a1aa

SHA1
27843a68e03d7099759f4b523ad49e305ca30154

SHA256
a4782923face03395500904497dae5b75fedf91e4ba381e9683f61f53a8360ef

SHA512
82ce3b4b54aee5e708c6988e634d78ce8173153dfeed23be2fc287a7638a2545fad600cc60f172286d1c3fa7a6422c6b9a3fcdc18ac380c34958ee349061f568

Download Submit
C:\Windows\SysWOW64\Mldhacpj.exe

Filesize
430KB

MD5
b6888a01758fe411cb885d13aae93990

SHA1
7b46c8480df2fe5f6f4595c1dde6c882a06226c8

SHA256
533345b47f4577f5d7aa623689506fa3769c69643d0c5cda6ecca88a500b752d

SHA512
4c284ef3fb988bccf06bb8983db77d58bb7deb786490362018cea03f514a439eb9b6fce7d35c86a9261da2cbdeb4cc041b579f88a4b24f5efe1586c914bc0aa8

Download Submit
C:\Windows\SysWOW64\Mldhacpj.exe

Filesize
430KB

MD5
b6888a01758fe411cb885d13aae93990

SHA1
7b46c8480df2fe5f6f4595c1dde6c882a06226c8

SHA256
533345b47f4577f5d7aa623689506fa3769c69643d0c5cda6ecca88a500b752d

SHA512
4c284ef3fb988bccf06bb8983db77d58bb7deb786490362018cea03f514a439eb9b6fce7d35c86a9261da2cbdeb4cc041b579f88a4b24f5efe1586c914bc0aa8

Download Submit
C:\Windows\SysWOW64\Mpenmadn.exe

Filesize
430KB

MD5
291e1cc08d57047a7cd1b7c08a55d7d0

SHA1
c2963b347792b0abe26741157ef2d405988004c9

SHA256
97dcac31b463b5d87c22b332c5826286c91cc4d8de3cfd3f41c599cb24dd8ad7

SHA512
77867cedceed390c706bd5416349a0fd3d281f668e41795c69045bb73f02b1fc00dd655c2524cc124770d87befa7dd1db8bdcbeeb588d9935f47a27e5c122624

Download Submit
C:\Windows\SysWOW64\Mpenmadn.exe

Filesize
430KB

MD5
291e1cc08d57047a7cd1b7c08a55d7d0

SHA1
c2963b347792b0abe26741157ef2d405988004c9

SHA256
97dcac31b463b5d87c22b332c5826286c91cc4d8de3cfd3f41c599cb24dd8ad7

SHA512
77867cedceed390c706bd5416349a0fd3d281f668e41795c69045bb73f02b1fc00dd655c2524cc124770d87befa7dd1db8bdcbeeb588d9935f47a27e5c122624

Download Submit
C:\Windows\SysWOW64\Mpenmadn.exe

Filesize
430KB

MD5
291e1cc08d57047a7cd1b7c08a55d7d0

SHA1
c2963b347792b0abe26741157ef2d405988004c9

SHA256
97dcac31b463b5d87c22b332c5826286c91cc4d8de3cfd3f41c599cb24dd8ad7

SHA512
77867cedceed390c706bd5416349a0fd3d281f668e41795c69045bb73f02b1fc00dd655c2524cc124770d87befa7dd1db8bdcbeeb588d9935f47a27e5c122624

Download Submit
C:\Windows\SysWOW64\Nbdijpjh.exe

Filesize
430KB

MD5
e88e839917a8145856384f2620e743fa

SHA1
c14500d1154baa4107f14e6599da46065837939c

SHA256
42e8b21cdcf33616251b99528cf4d41132626594493a352574c5e2c504e319ec

SHA512
412fa2aff01d882c4afef6a9bdf8725d31cf8490c6ba990c2be6b2a51acf26e2c42d8976fea6a71a191ebe41850f21d5a88263959c946d2d817959d00dcc38d7

Download Submit
C:\Windows\SysWOW64\Nbefolao.exe

Filesize
430KB

MD5
182c97de2700260885b62e92ce02bf10

SHA1
390f0ebdba2f7e19a46e496aa32542f2d6902367

SHA256
361a7b92a73a5e88b134a717f2554410f23541ad962d8a15713987bc48f4ea06

SHA512
0a4474910c215744e4ba2b4b47ba0e61afc08da0c8692be8b66216d369f3d3919bd42350545c29453304af188cb71d13d5e9c644f34c42e04b904a2aeab79aa2

Download Submit
C:\Windows\SysWOW64\Nbefolao.exe

Filesize
430KB

MD5
182c97de2700260885b62e92ce02bf10

SHA1
390f0ebdba2f7e19a46e496aa32542f2d6902367

SHA256
361a7b92a73a5e88b134a717f2554410f23541ad962d8a15713987bc48f4ea06

SHA512
0a4474910c215744e4ba2b4b47ba0e61afc08da0c8692be8b66216d369f3d3919bd42350545c29453304af188cb71d13d5e9c644f34c42e04b904a2aeab79aa2

Download Submit
C:\Windows\SysWOW64\Nlnkgbhp.exe

Filesize
430KB

MD5
e0dde56466672305b2fab9cea944a2d6

SHA1
aeb97d6c9b4ec52eb5d1d877cdf9d6d53681243b

SHA256
3654f84b8829eceea8a132a0911ef3496c79f627a1739ca041a2785e965fc03f

SHA512
ae452941bf83eb2a89486cd82be3e7b74e46472e4225e96bf4a14a0773fb50d654197c0b19283f8e9c9cb84e6e2bb4cc00498a3c07b9b3420ea1dcc3a816a812

Download Submit
C:\Windows\SysWOW64\Nlnkgbhp.exe

Filesize
430KB

MD5
e0dde56466672305b2fab9cea944a2d6

SHA1
aeb97d6c9b4ec52eb5d1d877cdf9d6d53681243b

SHA256
3654f84b8829eceea8a132a0911ef3496c79f627a1739ca041a2785e965fc03f

SHA512
ae452941bf83eb2a89486cd82be3e7b74e46472e4225e96bf4a14a0773fb50d654197c0b19283f8e9c9cb84e6e2bb4cc00498a3c07b9b3420ea1dcc3a816a812

Download Submit
C:\Windows\SysWOW64\Ojllkcdk.exe

Filesize
430KB

MD5
abf40c0fb0f4e74f44a8af07467017fe

SHA1
4be29911de2ee4665b029ece6897f266aa019036

SHA256
8f6a55d9dc0eaad8066a282272fb1ea8b0988ead88d0069fcbe0c30f4d288532

SHA512
c35dc9fd4dbc7651f819ab8ecbe8665a397518ccaf5a1ab177a6c0e898a1ad140d4c5f30674bb7d882bfdfa6b1d5fcaf8b9d65936b1564571c05cd0eee5b4b81

Download Submit
C:\Windows\SysWOW64\Pmiijjcf.exe

Filesize
430KB

MD5
73c39a6d1280bab24943bd904497248c

SHA1
5aea0d91809fa556cd5a6e1712c6ed01bb76a99d

SHA256
c76b17a491a991de3bcd9a47374930d11e7ceb2ae2d7a27f035d8d9c05f86484

SHA512
e75fac9e747bdaa6accf676021eeb05b2670b163d08382d4b0c6d597c207fb477cc1d9bcb3647a6e1356a53fd9f987af4b9caeb3981cbfd58594d09e5548e249

Download Submit
C:\Windows\SysWOW64\Qefkcl32.exe

Filesize
430KB

MD5
af25c533df084d87784772cf6a930a4e

SHA1
f5f1006e120e61fdcb75875e9ec6cf5e716b4221

SHA256
a193ff8178c54f73d2832cb5d011ccdd260ad5f4b71b71fc05acb3a9821ccc59

SHA512
5297b945dadf290022843e39d2e5758c21a09adcef110befddaf1c1143e570ef3cb6dcaa7682c0eb8994b1c0a1f1ff37601bc985f8be21ee0f682efec0620206

Download Submit
C:\Windows\SysWOW64\Qpikao32.exe

Filesize
430KB

MD5
e29b449aa73f9d4719a1d2626c02478f

SHA1
e801316a030a4975fad0e7e5f8371c21df7f6502

SHA256
a226bbef49a0dc802623d28b49e2b98339baca7ee5a8f8669200f095a2a7e34f

SHA512
3d134016983bdb54f6b4458ce882dca7aa574850f26fe8b698d6466fca2a46fd15e81ab2220ea5e7ea7fbf099e750ef3b9d099869f5b3e48c4a67a7bd5b68d87

Download Submit
memory/572-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-677-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-711-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-703-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads