b9bd39d9051c8a05269d33a0a803f1d55808a7803e0005bee40c59ae9f147d6f

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce232b4987f8defb3f8235970d53b440_exe32.exe
Size

424KB
MD5

ce232b4987f8defb3f8235970d53b440
SHA1

44507439d02d7835ce5f6051239fa5a898638de7
SHA256

b9bd39d9051c8a05269d33a0a803f1d55808a7803e0005bee40c59ae9f147d6f
SHA512

5d4e412ff8beca53c5f187f5fa1570ab53b66c1cd3792042b837c205f3b9e9e760b09f8e659727a605331b932c6fbb1b0527bf07536017a2ba4fb6e735d23f7a
SSDEEP

6144:3akBqbPDDnzmntBLqo50VvJcpHnUmKyIxLDXXoq9FJZCUmKyIxLlwlIRx0pi:Q3wBLJEvJcpH32XXf9Do3or0pi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojlaeei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbabigfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikndgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aogiap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfngdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmieae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfodeohd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhghcki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pedbahod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhknpmma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laqhhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpdoqgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkbdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmhand32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbmingjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enbjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moaogand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maodigil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idkbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifihif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mehjol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdfjld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqbkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkjiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfqmpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgdokkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neccpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aekddhcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiglnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgibpf32.exe

Executes dropped EXE 64 IoCs

pid	Process
4544	Jeklag32.exe
516	Jcllonma.exe
4352	Klgqcqkl.exe
452	Kepelfam.exe
1320	Kdcbom32.exe
3496	Kpjcdn32.exe
4220	Kibgmdcn.exe
4132	Kdgljmcd.exe
432	Liddbc32.exe
1852	Liimncmf.exe
4680	Lepncd32.exe
4348	Ldanqkki.exe
2064	Lllcen32.exe
4428	Mibpda32.exe
4736	Mckemg32.exe
2032	Mcmabg32.exe
4704	Mnebeogl.exe
3060	Nngokoej.exe
3956	Nebdoa32.exe
4912	Ndcdmikd.exe
4924	Nloiakho.exe
2100	Npmagine.exe
4740	Nfjjppmm.exe
4672	Odkjng32.exe
2944	Opdghh32.exe
3592	Onhhamgg.exe
4756	Oqhacgdh.exe
3332	Pdfjifjo.exe
4508	Pggbkagp.exe
2548	Pmidog32.exe
3340	Qqfmde32.exe
328	Qqijje32.exe
4496	Ajanck32.exe
4236	Acjclpcf.exe
4432	Ambgef32.exe
2124	Agglboim.exe
3960	Aeklkchg.exe
1268	Amgapeea.exe
3288	Afoeiklb.exe
4380	Aepefb32.exe
4828	Bnhjohkb.exe
2056	Bganhm32.exe
4320	Bnkgeg32.exe
4796	Bjagjhnc.exe
2584	Beglgani.exe
3404	Beihma32.exe
2864	Bnbmefbg.exe
1764	Bcoenmao.exe
4960	Cndikf32.exe
756	Cdabcm32.exe
1464	Cmiflbel.exe
3692	Cdcoim32.exe
3420	Cmlcbbcj.exe
4060	Cdfkolkf.exe
5032	Dopigd32.exe
1704	Dejacond.exe
3708	Dmefhako.exe
3512	Ddonekbl.exe
2192	Dmgbnq32.exe
4244	Dkkcge32.exe
5008	Deagdn32.exe
4804	Dknpmdfc.exe
4420	Egdqae32.exe
3948	Eajeon32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfodeohd.exe	Glipgf32.exe
File opened for modification	C:\Windows\SysWOW64\Hiipmhmk.exe	Hoclopne.exe
File created	C:\Windows\SysWOW64\Llgcph32.exe	Lihfcm32.exe
File created	C:\Windows\SysWOW64\Jkdnhmdp.dll	Oofaiokl.exe
File created	C:\Windows\SysWOW64\Ohcpka32.dll	Addaif32.exe
File created	C:\Windows\SysWOW64\Bgicnp32.dll	Dkcndeen.exe
File opened for modification	C:\Windows\SysWOW64\Haaaaeim.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mpapnfhg.exe
File opened for modification	C:\Windows\SysWOW64\Ihqoeb32.exe	Ifbbig32.exe
File created	C:\Windows\SysWOW64\Kflnfcgg.exe	Kihnmohm.exe
File opened for modification	C:\Windows\SysWOW64\Hnhghcki.exe	Hhknpmma.exe
File created	C:\Windows\SysWOW64\Hllbndih.dll	Hkpqkcpd.exe
File created	C:\Windows\SysWOW64\Cfipef32.exe	Coohhlpe.exe
File opened for modification	C:\Windows\SysWOW64\Fpbflg32.exe	Felbnn32.exe
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Fngcmcfe.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Kfnkkb32.exe	Khmknk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhgfkg32.exe	Mehjol32.exe
File created	C:\Windows\SysWOW64\Oheihn32.dll	Ehfcfb32.exe
File opened for modification	C:\Windows\SysWOW64\Pkbjjbda.exe	Pmoiqneg.exe
File opened for modification	C:\Windows\SysWOW64\Egkddo32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Gafian32.dll	Pfillg32.exe
File opened for modification	C:\Windows\SysWOW64\Najceeoo.exe	Nkqkhk32.exe
File created	C:\Windows\SysWOW64\Nabfjpak.exe	Ncofplba.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jeapcq32.exe
File opened for modification	C:\Windows\SysWOW64\Nofefp32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Eobocb32.exe	Emcbio32.exe
File created	C:\Windows\SysWOW64\Hbmhabha.dll	Ccpdoqgd.exe
File created	C:\Windows\SysWOW64\Gejhef32.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Clgbhl32.dll	Cdbfab32.exe
File created	C:\Windows\SysWOW64\Maenpfhk.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Eemgplno.exe	Eobocb32.exe
File opened for modification	C:\Windows\SysWOW64\Nbcqiope.exe	Nlihle32.exe
File created	C:\Windows\SysWOW64\Bpnihiio.exe	Bjaqpbkh.exe
File created	C:\Windows\SysWOW64\Adfnofpd.exe	Aahbbkaq.exe
File opened for modification	C:\Windows\SysWOW64\Modgdicm.exe	Lgibpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Ipbdggii.dll	Ghklce32.exe
File created	C:\Windows\SysWOW64\Alkdoago.dll	Ikcmbfcj.exe
File created	C:\Windows\SysWOW64\Ikfghc32.dll	Dcigeooj.exe
File created	C:\Windows\SysWOW64\Olfghg32.exe	Oaqbkn32.exe
File created	C:\Windows\SysWOW64\Badjai32.dll	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Okjnnj32.exe	Oihagaji.exe
File created	C:\Windows\SysWOW64\Aefjii32.exe	Aolblopj.exe
File created	C:\Windows\SysWOW64\Kpcjgnhb.exe	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Eojiqb32.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Hppeim32.exe	Hifmmb32.exe
File created	C:\Windows\SysWOW64\Bpedeiff.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Lneajdhc.dll	Jecofa32.exe
File created	C:\Windows\SysWOW64\Fcmpdfhi.dll	Lgffic32.exe
File opened for modification	C:\Windows\SysWOW64\Pchlpfjb.exe	Ohpkmn32.exe
File created	C:\Windows\SysWOW64\Qeodhjmo.exe	Qkipkani.exe
File created	C:\Windows\SysWOW64\Eqgmmk32.exe	Ekjded32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Aaiqcnhg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9652	5960	WerFault.exe	991

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegbb32.dll"	Jblijebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdpaeehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbaojpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdaociml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcelmhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldfjqkf.dll"	Meamcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mldhfpib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbponhh.dll"	Leoghn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohpkmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlpaoaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmabofh.dll"	Kkconn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgplado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffcpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakdijo.dll"	Ojnblg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fineoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncndec32.dll"	Plbmokop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookjdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfjlb32.dll"	Llgcph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnboabc.dll"	Fgbfhmll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohfami32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkincfn.dll"	Nemcjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll"	Ggpbjkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmoohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4544	4560	ce232b4987f8defb3f8235970d53b440_exe32.exe	82
PID 4560 wrote to memory of 4544	4560	ce232b4987f8defb3f8235970d53b440_exe32.exe	82
PID 4560 wrote to memory of 4544	4560	ce232b4987f8defb3f8235970d53b440_exe32.exe	82
PID 4544 wrote to memory of 516	4544	Jeklag32.exe	83
PID 4544 wrote to memory of 516	4544	Jeklag32.exe	83
PID 4544 wrote to memory of 516	4544	Jeklag32.exe	83
PID 516 wrote to memory of 4352	516	Jcllonma.exe	84
PID 516 wrote to memory of 4352	516	Jcllonma.exe	84
PID 516 wrote to memory of 4352	516	Jcllonma.exe	84
PID 4352 wrote to memory of 452	4352	Klgqcqkl.exe	86
PID 4352 wrote to memory of 452	4352	Klgqcqkl.exe	86
PID 4352 wrote to memory of 452	4352	Klgqcqkl.exe	86
PID 452 wrote to memory of 1320	452	Kepelfam.exe	87
PID 452 wrote to memory of 1320	452	Kepelfam.exe	87
PID 452 wrote to memory of 1320	452	Kepelfam.exe	87
PID 1320 wrote to memory of 3496	1320	Kdcbom32.exe	88
PID 1320 wrote to memory of 3496	1320	Kdcbom32.exe	88
PID 1320 wrote to memory of 3496	1320	Kdcbom32.exe	88
PID 3496 wrote to memory of 4220	3496	Kpjcdn32.exe	89
PID 3496 wrote to memory of 4220	3496	Kpjcdn32.exe	89
PID 3496 wrote to memory of 4220	3496	Kpjcdn32.exe	89
PID 4220 wrote to memory of 4132	4220	Kibgmdcn.exe	90
PID 4220 wrote to memory of 4132	4220	Kibgmdcn.exe	90
PID 4220 wrote to memory of 4132	4220	Kibgmdcn.exe	90
PID 4132 wrote to memory of 432	4132	Kdgljmcd.exe	91
PID 4132 wrote to memory of 432	4132	Kdgljmcd.exe	91
PID 4132 wrote to memory of 432	4132	Kdgljmcd.exe	91
PID 432 wrote to memory of 1852	432	Liddbc32.exe	92
PID 432 wrote to memory of 1852	432	Liddbc32.exe	92
PID 432 wrote to memory of 1852	432	Liddbc32.exe	92
PID 1852 wrote to memory of 4680	1852	Liimncmf.exe	93
PID 1852 wrote to memory of 4680	1852	Liimncmf.exe	93
PID 1852 wrote to memory of 4680	1852	Liimncmf.exe	93
PID 4680 wrote to memory of 4348	4680	Lepncd32.exe	94
PID 4680 wrote to memory of 4348	4680	Lepncd32.exe	94
PID 4680 wrote to memory of 4348	4680	Lepncd32.exe	94
PID 4348 wrote to memory of 2064	4348	Ldanqkki.exe	95
PID 4348 wrote to memory of 2064	4348	Ldanqkki.exe	95
PID 4348 wrote to memory of 2064	4348	Ldanqkki.exe	95
PID 2064 wrote to memory of 4428	2064	Lllcen32.exe	96
PID 2064 wrote to memory of 4428	2064	Lllcen32.exe	96
PID 2064 wrote to memory of 4428	2064	Lllcen32.exe	96
PID 4428 wrote to memory of 4736	4428	Mibpda32.exe	97
PID 4428 wrote to memory of 4736	4428	Mibpda32.exe	97
PID 4428 wrote to memory of 4736	4428	Mibpda32.exe	97
PID 4736 wrote to memory of 2032	4736	Mckemg32.exe	98
PID 4736 wrote to memory of 2032	4736	Mckemg32.exe	98
PID 4736 wrote to memory of 2032	4736	Mckemg32.exe	98
PID 2032 wrote to memory of 4704	2032	Mcmabg32.exe	99
PID 2032 wrote to memory of 4704	2032	Mcmabg32.exe	99
PID 2032 wrote to memory of 4704	2032	Mcmabg32.exe	99
PID 4704 wrote to memory of 3060	4704	Mnebeogl.exe	100
PID 4704 wrote to memory of 3060	4704	Mnebeogl.exe	100
PID 4704 wrote to memory of 3060	4704	Mnebeogl.exe	100
PID 3060 wrote to memory of 3956	3060	Nngokoej.exe	101
PID 3060 wrote to memory of 3956	3060	Nngokoej.exe	101
PID 3060 wrote to memory of 3956	3060	Nngokoej.exe	101
PID 3956 wrote to memory of 4912	3956	Nebdoa32.exe	102
PID 3956 wrote to memory of 4912	3956	Nebdoa32.exe	102
PID 3956 wrote to memory of 4912	3956	Nebdoa32.exe	102
PID 4912 wrote to memory of 4924	4912	Ndcdmikd.exe	103
PID 4912 wrote to memory of 4924	4912	Ndcdmikd.exe	103
PID 4912 wrote to memory of 4924	4912	Ndcdmikd.exe	103
PID 4924 wrote to memory of 2100	4924	Nloiakho.exe	106

C:\Users\Admin\AppData\Local\Temp\ce232b4987f8defb3f8235970d53b440_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\ce232b4987f8defb3f8235970d53b440_exe32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\Jeklag32.exe
  C:\Windows\system32\Jeklag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\Jcllonma.exe
    C:\Windows\system32\Jcllonma.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\Klgqcqkl.exe
      C:\Windows\system32\Klgqcqkl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        23⤵
        Executes dropped EXE
        
        PID:2100

C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
1⤵
- Executes dropped EXE
PID:4740
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- - C:\Windows\SysWOW64\Opdghh32.exe
    C:\Windows\system32\Opdghh32.exe
    3⤵
    - Executes dropped EXE
    PID:2944
  - - C:\Windows\SysWOW64\Onhhamgg.exe
      C:\Windows\system32\Onhhamgg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3592
    - - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        5⤵
        Executes dropped EXE
        
        PID:4756
      - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        8⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        10⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        12⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        13⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        15⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        16⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        17⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        20⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        21⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        22⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        23⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        24⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        25⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        26⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        27⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        28⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        30⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        31⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        32⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        34⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        35⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        36⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        37⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        39⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Egdqae32.exe
        
        C:\Windows\system32\Egdqae32.exe
        41⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Eajeon32.exe
        
        C:\Windows\system32\Eajeon32.exe
        42⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Ehfjah32.exe
        
        C:\Windows\system32\Ehfjah32.exe
        43⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Emcbio32.exe
        
        C:\Windows\system32\Emcbio32.exe
        44⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Eobocb32.exe
        
        C:\Windows\system32\Eobocb32.exe
        45⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Eemgplno.exe
        
        C:\Windows\system32\Eemgplno.exe
        46⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Eachem32.exe
        
        C:\Windows\system32\Eachem32.exe
        47⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Fkllnbjc.exe
        
        C:\Windows\system32\Fkllnbjc.exe
        48⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Fhpmgg32.exe
        
        C:\Windows\system32\Fhpmgg32.exe
        49⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Fojedapj.exe
        
        C:\Windows\system32\Fojedapj.exe
        50⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Fedmqk32.exe
        
        C:\Windows\system32\Fedmqk32.exe
        51⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Fhdfbfdh.exe
        
        C:\Windows\system32\Fhdfbfdh.exe
        52⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Fkeodaai.exe
        
        C:\Windows\system32\Fkeodaai.exe
        53⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Ghipne32.exe
        
        C:\Windows\system32\Ghipne32.exe
        54⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Gnfhfl32.exe
        
        C:\Windows\system32\Gnfhfl32.exe
        55⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Ghklce32.exe
        
        C:\Windows\system32\Ghklce32.exe
        56⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        57⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Gnkaalkd.exe
        
        C:\Windows\system32\Gnkaalkd.exe
        58⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Gddinf32.exe
        
        C:\Windows\system32\Gddinf32.exe
        59⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Gkobjpin.exe
        
        C:\Windows\system32\Gkobjpin.exe
        60⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Gahjgj32.exe
        
        C:\Windows\system32\Gahjgj32.exe
        61⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        62⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Hnddgjbj.exe
        
        C:\Windows\system32\Hnddgjbj.exe
        63⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Hglipp32.exe
        
        C:\Windows\system32\Hglipp32.exe
        64⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Hocqam32.exe
        
        C:\Windows\system32\Hocqam32.exe
        65⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Hfningai.exe
        
        C:\Windows\system32\Hfningai.exe
        66⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Hdbfodfa.exe
        
        C:\Windows\system32\Hdbfodfa.exe
        67⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Iohjlmeg.exe
        
        C:\Windows\system32\Iohjlmeg.exe
        68⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ifbbig32.exe
        
        C:\Windows\system32\Ifbbig32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Ihqoeb32.exe
        
        C:\Windows\system32\Ihqoeb32.exe
        70⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Iokgal32.exe
        
        C:\Windows\system32\Iokgal32.exe
        71⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ifdonfka.exe
        
        C:\Windows\system32\Ifdonfka.exe
        72⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Igfkfo32.exe
        
        C:\Windows\system32\Igfkfo32.exe
        73⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        74⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        75⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ioopml32.exe
        
        C:\Windows\system32\Ioopml32.exe
        76⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ifihif32.exe
        
        C:\Windows\system32\Ifihif32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Igjeanmj.exe
        
        C:\Windows\system32\Igjeanmj.exe
        78⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Indmnh32.exe
        
        C:\Windows\system32\Indmnh32.exe
        79⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Iijaka32.exe
        
        C:\Windows\system32\Iijaka32.exe
        80⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jodjhkkj.exe
        
        C:\Windows\system32\Jodjhkkj.exe
        81⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        82⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Joffnk32.exe
        
        C:\Windows\system32\Joffnk32.exe
        83⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Joiccj32.exe
        
        C:\Windows\system32\Joiccj32.exe
        85⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Jfbkpd32.exe
        
        C:\Windows\system32\Jfbkpd32.exe
        86⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jblijebc.exe
        
        C:\Windows\system32\Jblijebc.exe
        87⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Jieagojp.exe
        
        C:\Windows\system32\Jieagojp.exe
        88⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        89⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Kihnmohm.exe
        
        C:\Windows\system32\Kihnmohm.exe
        90⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kflnfcgg.exe
        
        C:\Windows\system32\Kflnfcgg.exe
        91⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Khmknk32.exe
        
        C:\Windows\system32\Khmknk32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Kfnkkb32.exe
        
        C:\Windows\system32\Kfnkkb32.exe
        93⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Khpgckkb.exe
        
        C:\Windows\system32\Khpgckkb.exe
        94⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Knippe32.exe
        
        C:\Windows\system32\Knippe32.exe
        95⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Kfqgab32.exe
        
        C:\Windows\system32\Kfqgab32.exe
        96⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Khbdikip.exe
        
        C:\Windows\system32\Khbdikip.exe
        97⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kbghfc32.exe
        
        C:\Windows\system32\Kbghfc32.exe
        98⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Kiaqcnpb.exe
        
        C:\Windows\system32\Kiaqcnpb.exe
        99⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Lpkiph32.exe
        
        C:\Windows\system32\Lpkiph32.exe
        100⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lfealaol.exe
        
        C:\Windows\system32\Lfealaol.exe
        101⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Lidmhmnp.exe
        
        C:\Windows\system32\Lidmhmnp.exe
        102⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Lpneegel.exe
        
        C:\Windows\system32\Lpneegel.exe
        103⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Lfhnaa32.exe
        
        C:\Windows\system32\Lfhnaa32.exe
        104⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Lldfjh32.exe
        
        C:\Windows\system32\Lldfjh32.exe
        105⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lbnngbbn.exe
        
        C:\Windows\system32\Lbnngbbn.exe
        106⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Lihfcm32.exe
        
        C:\Windows\system32\Lihfcm32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Llgcph32.exe
        
        C:\Windows\system32\Llgcph32.exe
        108⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Leoghn32.exe
        
        C:\Windows\system32\Leoghn32.exe
        109⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Loglacfo.exe
        
        C:\Windows\system32\Loglacfo.exe
        110⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Mpghkf32.exe
        
        C:\Windows\system32\Mpghkf32.exe
        111⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Medqcmki.exe
        
        C:\Windows\system32\Medqcmki.exe
        112⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mlnipg32.exe
        
        C:\Windows\system32\Mlnipg32.exe
        113⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Molelb32.exe
        
        C:\Windows\system32\Molelb32.exe
        114⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Mhdjehhj.exe
        
        C:\Windows\system32\Mhdjehhj.exe
        115⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Moobbb32.exe
        
        C:\Windows\system32\Moobbb32.exe
        116⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Mehjol32.exe
        
        C:\Windows\system32\Mehjol32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mhgfkg32.exe
        
        C:\Windows\system32\Mhgfkg32.exe
        118⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Moaogand.exe
        
        C:\Windows\system32\Moaogand.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Mekgdl32.exe
        
        C:\Windows\system32\Mekgdl32.exe
        120⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Mpqkad32.exe
        
        C:\Windows\system32\Mpqkad32.exe
        121⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        122⤵
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nlglfe32.exe
        
        C:\Windows\system32\Nlglfe32.exe
        123⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        124⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        125⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Nlihle32.exe
        
        C:\Windows\system32\Nlihle32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Nbcqiope.exe
        
        C:\Windows\system32\Nbcqiope.exe
        127⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nlleaeff.exe
        
        C:\Windows\system32\Nlleaeff.exe
        128⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Nedjjj32.exe
        
        C:\Windows\system32\Nedjjj32.exe
        129⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Npjnhc32.exe
        
        C:\Windows\system32\Npjnhc32.exe
        130⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ngdfdmdi.exe
        
        C:\Windows\system32\Ngdfdmdi.exe
        131⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Nlqomd32.exe
        
        C:\Windows\system32\Nlqomd32.exe
        132⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Ncjginjn.exe
        
        C:\Windows\system32\Ncjginjn.exe
        133⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        134⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ooagno32.exe
        
        C:\Windows\system32\Ooagno32.exe
        135⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Oekpkigo.exe
        
        C:\Windows\system32\Oekpkigo.exe
        136⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Opadhb32.exe
        
        C:\Windows\system32\Opadhb32.exe
        137⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Ogklelna.exe
        
        C:\Windows\system32\Ogklelna.exe
        138⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Ohlimd32.exe
        
        C:\Windows\system32\Ohlimd32.exe
        139⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Oofaiokl.exe
        
        C:\Windows\system32\Oofaiokl.exe
        140⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Oepifi32.exe
        
        C:\Windows\system32\Oepifi32.exe
        141⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Oljaccjf.exe
        
        C:\Windows\system32\Oljaccjf.exe
        142⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Ocdjpmac.exe
        
        C:\Windows\system32\Ocdjpmac.exe
        143⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Ojnblg32.exe
        
        C:\Windows\system32\Ojnblg32.exe
        144⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Ookjdn32.exe
        
        C:\Windows\system32\Ookjdn32.exe
        145⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        147⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Plagcbdn.exe
        
        C:\Windows\system32\Plagcbdn.exe
        149⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Pckppl32.exe
        
        C:\Windows\system32\Pckppl32.exe
        150⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        152⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        153⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Pleaoa32.exe
        
        C:\Windows\system32\Pleaoa32.exe
        154⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Pcpikkge.exe
        
        C:\Windows\system32\Pcpikkge.exe
        155⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Phlacbfm.exe
        
        C:\Windows\system32\Phlacbfm.exe
        156⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        157⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Qjlnnemp.exe
        
        C:\Windows\system32\Qjlnnemp.exe
        158⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Qoifflkg.exe
        
        C:\Windows\system32\Qoifflkg.exe
        159⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        160⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Aokcklid.exe
        
        C:\Windows\system32\Aokcklid.exe
        161⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        162⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        163⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        164⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ajcdnd32.exe
        
        C:\Windows\system32\Ajcdnd32.exe
        165⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        166⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Bfqkddfd.exe
        
        C:\Windows\system32\Bfqkddfd.exe
        167⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        168⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        169⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Bjodjb32.exe
        
        C:\Windows\system32\Bjodjb32.exe
        170⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Bcghch32.exe
        
        C:\Windows\system32\Bcghch32.exe
        171⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        172⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Bpnihiio.exe
        
        C:\Windows\system32\Bpnihiio.exe
        173⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Bfhadc32.exe
        
        C:\Windows\system32\Bfhadc32.exe
        174⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Bqmeal32.exe
        
        C:\Windows\system32\Bqmeal32.exe
        175⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Bfjnjcni.exe
        
        C:\Windows\system32\Bfjnjcni.exe
        176⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Cpbbch32.exe
        
        C:\Windows\system32\Cpbbch32.exe
        177⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        178⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Cglgjeci.exe
        
        C:\Windows\system32\Cglgjeci.exe
        179⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        180⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Caghhk32.exe
        
        C:\Windows\system32\Caghhk32.exe
        181⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        182⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Cmniml32.exe
        
        C:\Windows\system32\Cmniml32.exe
        183⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Ccgajfeh.exe
        
        C:\Windows\system32\Ccgajfeh.exe
        184⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Cjaifp32.exe
        
        C:\Windows\system32\Cjaifp32.exe
        185⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Dpnbog32.exe
        
        C:\Windows\system32\Dpnbog32.exe
        186⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        187⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Dpqodfij.exe
        
        C:\Windows\system32\Dpqodfij.exe
        188⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        189⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Dabhdinj.exe
        
        C:\Windows\system32\Dabhdinj.exe
        190⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Dmihij32.exe
        
        C:\Windows\system32\Dmihij32.exe
        191⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        192⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        193⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        194⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        195⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Ehcfaboo.exe
        
        C:\Windows\system32\Ehcfaboo.exe
        196⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Eidbij32.exe
        
        C:\Windows\system32\Eidbij32.exe
        197⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        198⤵
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        199⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        200⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        201⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Epcdqd32.exe
        
        C:\Windows\system32\Epcdqd32.exe
        202⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Facqkg32.exe
        
        C:\Windows\system32\Facqkg32.exe
        203⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        204⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        205⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Fphnlcdo.exe
        
        C:\Windows\system32\Fphnlcdo.exe
        206⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        207⤵
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Fmlneg32.exe
        
        C:\Windows\system32\Fmlneg32.exe
        208⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Fdffbake.exe
        
        C:\Windows\system32\Fdffbake.exe
        209⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Fmnkkg32.exe
        
        C:\Windows\system32\Fmnkkg32.exe
        210⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Fhdohp32.exe
        
        C:\Windows\system32\Fhdohp32.exe
        211⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Fmqgpgoc.exe
        
        C:\Windows\system32\Fmqgpgoc.exe
        212⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Fhflnpoi.exe
        
        C:\Windows\system32\Fhflnpoi.exe
        213⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Gigheh32.exe
        
        C:\Windows\system32\Gigheh32.exe
        214⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        215⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Gijekg32.exe
        
        C:\Windows\system32\Gijekg32.exe
        216⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        217⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Gnhnaf32.exe
        
        C:\Windows\system32\Gnhnaf32.exe
        218⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        219⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        220⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Gnjjfegi.exe
        
        C:\Windows\system32\Gnjjfegi.exe
        221⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        222⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        223⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        224⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Hgelek32.exe
        
        C:\Windows\system32\Hgelek32.exe
        225⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Hajpbckl.exe
        
        C:\Windows\system32\Hajpbckl.exe
        226⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        228⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        229⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Hjhalefe.exe
        
        C:\Windows\system32\Hjhalefe.exe
        230⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        231⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        232⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Hhknpmma.exe
        
        C:\Windows\system32\Hhknpmma.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        235⤵
        
        PID:488
        
        C:\Windows\SysWOW64\Igqkqiai.exe
        
        C:\Windows\system32\Igqkqiai.exe
        236⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Injcmc32.exe
        
        C:\Windows\system32\Injcmc32.exe
        237⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        238⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7788
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        240⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        241⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        242⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Ikejgf32.exe
        
        C:\Windows\system32\Ikejgf32.exe
        244⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Jdnoplhh.exe
        
        C:\Windows\system32\Jdnoplhh.exe
        245⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        246⤵
        Modifies registry class
        
        PID:8104
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        247⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        248⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        249⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        250⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Jgcamf32.exe
        
        C:\Windows\system32\Jgcamf32.exe
        251⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        252⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        253⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Kjffdalb.exe
        
        C:\Windows\system32\Kjffdalb.exe
        254⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Kelkaj32.exe
        
        C:\Windows\system32\Kelkaj32.exe
        255⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Kkfcndce.exe
        
        C:\Windows\system32\Kkfcndce.exe
        256⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        257⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Kgmcce32.exe
        
        C:\Windows\system32\Kgmcce32.exe
        258⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Knflpoqf.exe
        
        C:\Windows\system32\Knflpoqf.exe
        259⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Keqdmihc.exe
        
        C:\Windows\system32\Keqdmihc.exe
        260⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        261⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        262⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        263⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        264⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Lajagj32.exe
        
        C:\Windows\system32\Lajagj32.exe
        265⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Lkofdbkj.exe
        
        C:\Windows\system32\Lkofdbkj.exe
        266⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Lalnmiia.exe
        
        C:\Windows\system32\Lalnmiia.exe
        267⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8820
        
        C:\Windows\SysWOW64\Ljdceo32.exe
        
        C:\Windows\system32\Ljdceo32.exe
        269⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Lankbigo.exe
        
        C:\Windows\system32\Lankbigo.exe
        270⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        271⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8996
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        273⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9084
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        275⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        276⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        277⤵
        Modifies registry class
        
        PID:9212
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        278⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        279⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        280⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Majjng32.exe
        
        C:\Windows\system32\Majjng32.exe
        281⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mlpokp32.exe
        
        C:\Windows\system32\Mlpokp32.exe
        282⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Malgcg32.exe
        
        C:\Windows\system32\Malgcg32.exe
        283⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        284⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8704
        
        C:\Windows\SysWOW64\Mldhfpib.exe
        
        C:\Windows\system32\Mldhfpib.exe
        286⤵
        Modifies registry class
        
        PID:8764
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        287⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Nemmoe32.exe
        
        C:\Windows\system32\Nemmoe32.exe
        288⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        289⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Nbqmiinl.exe
        
        C:\Windows\system32\Nbqmiinl.exe
        290⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        291⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        292⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Neafjdkn.exe
        
        C:\Windows\system32\Neafjdkn.exe
        293⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        294⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Neccpd32.exe
        
        C:\Windows\system32\Neccpd32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8500
        
        C:\Windows\SysWOW64\Nkqkhk32.exe
        
        C:\Windows\system32\Nkqkhk32.exe
        296⤵
        Drops file in System32 directory
        
        PID:8580
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        297⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        298⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Oondnini.exe
        
        C:\Windows\system32\Oondnini.exe
        299⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        300⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        301⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        302⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Oaompd32.exe
        
        C:\Windows\system32\Oaompd32.exe
        303⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        304⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        305⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        306⤵
        Drops file in System32 directory
        
        PID:8936
        
        C:\Windows\SysWOW64\Okjnnj32.exe
        
        C:\Windows\system32\Okjnnj32.exe
        307⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        308⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        309⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        310⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        311⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9068
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        312⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Phedhmhi.exe
        
        C:\Windows\system32\Phedhmhi.exe
        313⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        314⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        315⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        316⤵
        Modifies registry class
        
        PID:9152
        
        C:\Windows\SysWOW64\Pekbga32.exe
        
        C:\Windows\system32\Pekbga32.exe
        317⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        318⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        319⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Qhlkilba.exe
        
        C:\Windows\system32\Qhlkilba.exe
        320⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        321⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        322⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Qkmdkgob.exe
        
        C:\Windows\system32\Qkmdkgob.exe
        323⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        324⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        325⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9624
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        327⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        328⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Aakebqbj.exe
        
        C:\Windows\system32\Aakebqbj.exe
        329⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        330⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Ackbmcjl.exe
        
        C:\Windows\system32\Ackbmcjl.exe
        331⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        332⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\Acmobchj.exe
        
        C:\Windows\system32\Acmobchj.exe
        333⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Ajggomog.exe
        
        C:\Windows\system32\Ajggomog.exe
        334⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        335⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Bfngdn32.exe
        
        C:\Windows\system32\Bfngdn32.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10064
        
        C:\Windows\SysWOW64\Blhpqhlh.exe
        
        C:\Windows\system32\Blhpqhlh.exe
        337⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        338⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Bkafmd32.exe
        
        C:\Windows\system32\Bkafmd32.exe
        339⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Bblnindg.exe
        
        C:\Windows\system32\Bblnindg.exe
        340⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Bmabggdm.exe
        
        C:\Windows\system32\Bmabggdm.exe
        341⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        342⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        343⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        344⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        345⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        346⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9604
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        347⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Cfqmpl32.exe
        
        C:\Windows\system32\Cfqmpl32.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9768
        
        C:\Windows\SysWOW64\Cmjemflb.exe
        
        C:\Windows\system32\Cmjemflb.exe
        349⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        350⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Cmmbbejp.exe
        
        C:\Windows\system32\Cmmbbejp.exe
        351⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        352⤵
        Modifies registry class
        
        PID:10000
        
        C:\Windows\SysWOW64\Dcigeooj.exe
        
        C:\Windows\system32\Dcigeooj.exe
        353⤵
        Drops file in System32 directory
        
        PID:10092
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        354⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10148
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        355⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        356⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Dlieda32.exe
        
        C:\Windows\system32\Dlieda32.exe
        357⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9464
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        359⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        360⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        361⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        362⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        363⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\Eciplm32.exe
        
        C:\Windows\system32\Eciplm32.exe
        364⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        365⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        366⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        367⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        368⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Fmfnpa32.exe
        
        C:\Windows\system32\Fmfnpa32.exe
        369⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Fbcfhibj.exe
        
        C:\Windows\system32\Fbcfhibj.exe
        370⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        371⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        372⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        373⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Fmkgkapm.exe
        
        C:\Windows\system32\Fmkgkapm.exe
        374⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Fbhpch32.exe
        
        C:\Windows\system32\Fbhpch32.exe
        375⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        376⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        377⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        378⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9256
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        379⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        380⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9956
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        381⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        382⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        383⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        384⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        385⤵
        Modifies registry class
        
        PID:10292
        
        C:\Windows\SysWOW64\Hdehni32.exe
        
        C:\Windows\system32\Hdehni32.exe
        386⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        387⤵
        Drops file in System32 directory
        
        PID:10380
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        388⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        389⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        390⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Hpofii32.exe
        
        C:\Windows\system32\Hpofii32.exe
        391⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        392⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        393⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        394⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        395⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        396⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        397⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        398⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        399⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        400⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        401⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        402⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        403⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        404⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        405⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        406⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        407⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        408⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        409⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        410⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        411⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        412⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        413⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1376
        
        C:\Windows\SysWOW64\Kkpbin32.exe
        
        C:\Windows\system32\Kkpbin32.exe
        414⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        415⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        416⤵
        Modifies registry class
        
        PID:10884
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        417⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        418⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        419⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        420⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11160
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        421⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        422⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\Kcejco32.exe
        
        C:\Windows\system32\Kcejco32.exe
        423⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        424⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        425⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        426⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        427⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        428⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        429⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        430⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        431⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Lenicahg.exe
        
        C:\Windows\system32\Lenicahg.exe
        432⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        433⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        434⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        435⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        436⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        437⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        438⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        439⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        440⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        441⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        442⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        443⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        444⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        445⤵
        Drops file in System32 directory
        
        PID:10940
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        446⤵
        
        PID:908
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        447⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        448⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        449⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        450⤵
        Modifies registry class
        
        PID:10708
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        451⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        452⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        453⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        454⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        455⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        456⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        457⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        458⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        459⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        460⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        461⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        462⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        463⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        464⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        465⤵
        Drops file in System32 directory
        
        PID:10808
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        466⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        467⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        468⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        469⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        470⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        471⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        472⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10860
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        473⤵
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        474⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        475⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        476⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        477⤵
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        478⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        479⤵
        
        PID:672
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        480⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        481⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        482⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11308
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        483⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11348
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        484⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        485⤵
        Modifies registry class
        
        PID:11436
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        486⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11472
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        487⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        488⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        489⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        490⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        491⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        492⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        493⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        494⤵
        Modifies registry class
        
        PID:11824
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        495⤵
        Drops file in System32 directory
        
        PID:11864
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        496⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        497⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        498⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        499⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        500⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        501⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        502⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        503⤵
        Drops file in System32 directory
        
        PID:12200
        
        C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        504⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        505⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        506⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        507⤵
        Modifies registry class
        
        PID:11344
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        508⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        509⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11428
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        510⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        511⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        512⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        513⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        514⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        515⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        516⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        517⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        518⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        519⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        520⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        521⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        522⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2584
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        523⤵
        Drops file in System32 directory
        
        PID:12104
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        524⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12152
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        525⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        526⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        527⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        528⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        529⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        530⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        531⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        532⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        533⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        534⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        535⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        536⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5108
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        537⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        538⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        539⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        540⤵
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        541⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11928
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        542⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12012
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        543⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        544⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        545⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        546⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        547⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        548⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        549⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        550⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        551⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        552⤵
        
        PID:11532
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        553⤵
        Drops file in System32 directory
        
        PID:11584
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        554⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        555⤵
        
        PID:11720
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        556⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        557⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        558⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        559⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        560⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        561⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        562⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        563⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        564⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12268
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        565⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        566⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        567⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        568⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        569⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5016
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        570⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        571⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        572⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        573⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        574⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        575⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        576⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        577⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        578⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        579⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        580⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        581⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        582⤵
        Modifies registry class
        
        PID:12236
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        583⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        584⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        585⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        586⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        587⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        588⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        589⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        590⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        591⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        592⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        593⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        594⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1712
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        595⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        596⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        597⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        598⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        599⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        600⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        601⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        602⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        603⤵
        Modifies registry class
        
        PID:10832
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        604⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        605⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        606⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        607⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        608⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3724
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        609⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        610⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        611⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        612⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        613⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        614⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        615⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        616⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        617⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        618⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        619⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        620⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        621⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        622⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        623⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        624⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        625⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        626⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        627⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        628⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        629⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        630⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        631⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        632⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        633⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        634⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        635⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        636⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        637⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        638⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        639⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        640⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        641⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        642⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        643⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        644⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        645⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        646⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        647⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        648⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        649⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        650⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        651⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        652⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        653⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        654⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        655⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        656⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        657⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        658⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        659⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        660⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        661⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        662⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        663⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        664⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        665⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        666⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        667⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        668⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        669⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        670⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        671⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        672⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        673⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        674⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        675⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        676⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        677⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        678⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        679⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        680⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        681⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        682⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        683⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        684⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        685⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        686⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        687⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        688⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        689⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        690⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        691⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        692⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        693⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        694⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        695⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        696⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        697⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        698⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        699⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        700⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        701⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        702⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        703⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        704⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        705⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        706⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        707⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        708⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        709⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        710⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7864
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        711⤵
        Drops file in System32 directory
        
        PID:7904
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        712⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        713⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        714⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        715⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        716⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        717⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        718⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        719⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        720⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        721⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        722⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        723⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        724⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        725⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        726⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        727⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        728⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        729⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        730⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        731⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        732⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        733⤵
        
        PID:568
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        734⤵
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        735⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        736⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        737⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        738⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        739⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        740⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        741⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        742⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        743⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        744⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        745⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        746⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        747⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        748⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        749⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        750⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        751⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        752⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        753⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        754⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        755⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        756⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        757⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        758⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        759⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        760⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        761⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        762⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        763⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        764⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        765⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        766⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        767⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        768⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        769⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        770⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        771⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        772⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        773⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        774⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        775⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        776⤵
        Drops file in System32 directory
        
        PID:8652
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        777⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        778⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        779⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        780⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        781⤵
        Modifies registry class
        
        PID:8908
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        782⤵
        Drops file in System32 directory
        
        PID:8460
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        783⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        784⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        785⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        786⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        787⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        788⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        789⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        790⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        791⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        792⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        793⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        794⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8480
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        795⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        796⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9140
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        797⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        798⤵
        Modifies registry class
        
        PID:8852
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        799⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        800⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        801⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        802⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        803⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        804⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        805⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        806⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        807⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        808⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        809⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        810⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        811⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        812⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        813⤵
        Drops file in System32 directory
        
        PID:8344
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        814⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        815⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        816⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        817⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        818⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        819⤵
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        820⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9292
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        821⤵
        Modifies registry class
        
        PID:8948
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        822⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        823⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        824⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        825⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9552
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        826⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        827⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        828⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        829⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        830⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        831⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        832⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        833⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        834⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9492
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        835⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        836⤵
        Drops file in System32 directory
        
        PID:10084
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        837⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        838⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        839⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        840⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        841⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        842⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        843⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        844⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        845⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        846⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        847⤵
        Drops file in System32 directory
        
        PID:9044
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        848⤵
        Modifies registry class
        
        PID:9084
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        849⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        850⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        851⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        852⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        853⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        854⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        855⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        856⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        857⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        858⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        859⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        860⤵
        Drops file in System32 directory
        
        PID:8808
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        861⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        862⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        863⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        864⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        865⤵
        Modifies registry class
        
        PID:9428
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        866⤵
        Drops file in System32 directory
        
        PID:8496
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        867⤵
        Drops file in System32 directory
        
        PID:9224
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        868⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8732
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        869⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10212
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        870⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        871⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        872⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        873⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        874⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        875⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 412
        876⤵
        Program crash
        
        PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5960 -ip 5960
1⤵
PID:9668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaiqcnhg.exe

Filesize
424KB

MD5
09f4f4ddb0e59e5e4ea45a6bd8208b60

SHA1
8ffd5a5a21c295f02229c4be79b116e90812d8a1

SHA256
dbf8a18f66f0c7b533bb2a8478ed52ab1de7c7f5d30ca4bf1ed422dd86e9735e

SHA512
d70f417f4d3c5b520ca5f7100b9595cec4433dd26e4b432754b7c2d3d90116cd783c104e5dc39b4547919d67bd11bdb57aa51d20dcbffa8589604ae0d5f0cbcd

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
424KB

MD5
f1c8e1a2dd5b76724e2724380d62fdbf

SHA1
8cb0db843cb49b68e40d589a516a37e4b1c3ce12

SHA256
215ad8eed1bd5ee64d80e0fa1f0da0194dbe78b97da87cc86d071994883ccb2f

SHA512
0bcdaefc7c86c0b156d2bde8e76efd4e8ebfc550fb2a7cd97787bd994564dd36d78b7966bf16da09885d61e8a164f095924d599763bd1f9b246e5cf9921bba9b

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
424KB

MD5
ad0d521cfb02e5573555dece430d118b

SHA1
5cc717d608149a1759bb4ca1a03b5d61ae379876

SHA256
e10f9c0f77c216fa1bc80b5ff13967bf86747008bb078c2cc1e57f58cf6c6315

SHA512
d34c797272f38ca771078e3bcab633452d062b55898d1f879f9574c0d5b6621e4fb36a133519b10bb44e15db854d2046de02e389ab60cb698ce6b45f1d954f11

Download Submit
C:\Windows\SysWOW64\Ajdjin32.exe

Filesize
424KB

MD5
dd0d3b03a2cedf5fd8061ccdbf0d24ef

SHA1
7a092e9bd7395e6a402cc45ef780d00cfc226a72

SHA256
3c8fe16e4b38c45a6c8894d9cfaced387b08a8cf7fa5542f9c73a44632ccd24a

SHA512
04293c09ae2841bff8b1719cc3d60c41832d1cd85a7db3842d99e84a2e7637a926534c29298d6013cc7f79eabdd47d714fa9567d6258806a88c324b354434e80

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
424KB

MD5
f539dd773b3742cbd5a7a4cd2ae04912

SHA1
c8aac64c5648b59f703032e69776d150b1d68292

SHA256
123c0e8d8204c56896a1402f8c49bb0993af6e7bf4a4486a171f2f0e51e0df75

SHA512
d97bdb2ac7a93c1b4928363e90ba2f1a4a3db0934e64c80cb7a7cbdf3948b22fa1ccc5910ed7f14236b6c94ecaaaa83344bb36232ca270b8d756b42718fd9db2

Download Submit
C:\Windows\SysWOW64\Cadlbk32.exe

Filesize
424KB

MD5
880f09b39593fafa2982921be0bcfcbe

SHA1
828181974eb2ad775119a840b790f96a1f2c17a4

SHA256
7bce4ea64a2e7049fa5822a2163830732c527cf0ef71aec4df0f8d33e03a7387

SHA512
f346ad8061cb38a8f508b71c14ee3e982d8523dd8701f6b447d1a3a19b135ae9bb383238c52e3eaae820063909b4bee82de5e6c4706b8da71e95080239d2544e

Download Submit
C:\Windows\SysWOW64\Cijpahho.exe

Filesize
424KB

MD5
f52dc9dc8dadeb87fb71610b492216ab

SHA1
5bddef85c4badb3d30f898fab79338be2a8065b2

SHA256
3e4d3f9e3005b1f9d7d13d8a46471b63331344b91a46ce6bd0229fdfa851231d

SHA512
e1a1778088ca060b77689c06e1c893837568e6e81dd3fde4e07ace36adeeba0aa1006705397e2998f7b874f22ceebd745f0a728b839e61d81254f260802a5120

Download Submit
C:\Windows\SysWOW64\Dfhjkabi.exe

Filesize
424KB

MD5
0f28c46d68bd12a766ec97bb6578bfac

SHA1
34ca5a5ff2207b9b7175cdee66913f4808c820b5

SHA256
30b8fa61005d7280c0cd7cd3059da62415a4adacba5828d91315276dd4051eb4

SHA512
26728eeea278b3d2e1c134f393b9d4b1ec6bb4a5e7c6478fb896d9eeabc93ee984ee27b2a362c591eab8e1ee24a96e1c3623811174fbd6bc1ac480e926562a03

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
424KB

MD5
12d166ebee5bea959f22d6e179f4e493

SHA1
a9a4ba5f82b95386d860c55585795c19d826fbe3

SHA256
739dd24b4b4f0e8406b3d62a447cf62dc7d917069d9de3ee894d255100eee1a5

SHA512
a8ffe629158e8e7fff492efe2886ec0d7e87cf5d90e578cd04d08697764fceb773aa8961906b097f2b47187b4611aeaa32876caf643137c46255731388d092c1

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
424KB

MD5
ce61980b85ee2e37a99d7f568dc134ac

SHA1
1f212ae5ed260c955061c6aab71fc826f2f00136

SHA256
4e4db0deb3256b05dadd66a279d482ed3a6bed72db0ddaac7f2da4c99a076cc5

SHA512
684fbb26fc82a6c3a84e70aedfdb3509b8560315e78e96912b48f6370931230ae24bf3d48043b321ed3fa690f75d877e5aa8887ef8201dc4343539166d484395

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
424KB

MD5
25ac0f853cd44d9e1ac1082729318011

SHA1
32d5a831343c0ade08c37009ed3933faf8e28b7b

SHA256
f290f1ef853311a2f2bae8d8a8117fc412f4e625cfd4319d930f05bc338b839f

SHA512
509f8e8918906f2652140a00d043f59a995a8854275dd2fc698ab33861846d14a5f349af27526e6dd908d3406f8acacd00064cfaf0d9d8abe0f94a03c5c2ef3a

Download Submit
C:\Windows\SysWOW64\Eachem32.exe

Filesize
424KB

MD5
4e091510d1dc1b35d772c5ace9aed757

SHA1
cbaa60506c8c839fc544f1c803b8c48c5e2689cb

SHA256
a2358eb6ba662c2a7a8170b95e0db3ba7fa6cb276d4c34c2414000d06bfb331b

SHA512
1ede88fd8371720d970312a0f7e6de4067b3566c9431863b787a69dff1ea4d2a02eb3250466a5ec547f8516e2ebdf620648db008774d2d97a5f4e99fb7ef9b3a

Download Submit
C:\Windows\SysWOW64\Eajeon32.exe

Filesize
424KB

MD5
c8c3afc01c10538e80414ec3cadbc733

SHA1
1d761d8c96e2f2c3282b908a0dd806c67f136f58

SHA256
15e78efcb7edc8a0d8ef7e7b7a1ac08201df324654b26940ed8d0f6b5f54b491

SHA512
71f574b5c4b6f40a53907f34dd1b65a7214056ee6bd2666b0eef684222ad981e1038334bd31f935520924124f817942da951980506f1a7dd8fe0b5cbfbe92c81

Download Submit
C:\Windows\SysWOW64\Eclmamod.exe

Filesize
424KB

MD5
a8ef4d8b018c6e505b9aa0b101afbc37

SHA1
c1ab0a0ed7b38f70548b91a49ecc4b7f39a0398d

SHA256
95ef63f106348d9407f0d2e774c38376f644262de921bb1cfa7235a9dc17b40a

SHA512
0ffd709c2372d74d711e810977148834cf1cf49b625252d025db7d3db052c79cc125d6858600a768d3271375bd914c66d6c5f1b99cfe7adff1baea507e6e258d

Download Submit
C:\Windows\SysWOW64\Ejnjpohk.dll

Filesize
7KB

MD5
f7ab3c1a402a0aa4aeefe473ac4190c3

SHA1
e3f6b7d292aebd668f04c47b3ab3bcb2155ac6e5

SHA256
c8f80eaa849875396289cc2721b0d6337bfdfc26824e7cd7c539118e326bf8e5

SHA512
fbd0655f89046abf12782deb08cac94704c26afa0b3036218c0d37147bd43167a212de1ee66daccd061a7d153009a4a80ce50220de3a664bf3868001528259d6

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
424KB

MD5
24984932b1b18e3bdabf43e97d198651

SHA1
abc99e526825fae08023c73952878b211d9e8a22

SHA256
211b38748a1c7406940260a165adb4d875f27fa1befff9499b2950b8a15495de

SHA512
23701b829b0efe5de64cc88f7bbdcddafd90c38f5b7f72db3d8a413193c58464d673c979d3d722a12c212438c9585a86f47688baa08fd1cda9b4cea4927be93b

Download Submit
C:\Windows\SysWOW64\Fhdfbfdh.exe

Filesize
424KB

MD5
e0ccc1a791ee28916f762069f53782d6

SHA1
6d3fc3603eefd076443cd7224f67aea3c3de33ab

SHA256
30420aa7ce71880060a8da2150bc63eebb823381c836958a030bc029a68d296f

SHA512
bb7ae8777943e0c1f3402a5518bc2e36e520290791bb11516e67d3495d1a4f601284a128ce0a1517b6d9f1e7f6127d48348139766bdde0780478ce346ec9ac5e

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
424KB

MD5
613d97e87805193b6b6798956026af5c

SHA1
873d6dcd6c73da60f9253c6b7009bcc437b0ad02

SHA256
ed2814025cbd2e3c1dc6f6d64d65ec39d2ad08f83a49042ce0926437ab4ad9dc

SHA512
8ff638fa99e2613fbe96eeafe0a1fbb440298389f687e47aa9ad3430cb759b4433205130f97e306f380db2e5e13fb1d778f330c226abd13e7279ee4dc10e7602

Download Submit
C:\Windows\SysWOW64\Gbmingjo.exe

Filesize
424KB

MD5
c1513cb512d90fa383da0a188784ad70

SHA1
7e8904bdad8e138cfb7836929b260796068cb7dc

SHA256
c0a379a3a7cabf883d6cfcde55ba6dcd0cd31fb218a07618350df4d97206bd2d

SHA512
8d6d9e9a7bd2480e8f796cf9fb36d3f1d749ca1e102b4d9a26fd33f286391eac75ca08cab58a4e82bd22e4df98ee381e41a7f538a8e2ccfa46d0d45c1e4bd1d6

Download Submit
C:\Windows\SysWOW64\Ghipne32.exe

Filesize
424KB

MD5
adb2207b2d87f23ec8a81a3ee07932ac

SHA1
4cffbc5ebe86886fcdb6af93a066224763b89075

SHA256
afac31609f07580c7337b17cef1fd9f85491250489f4b99a4e96e4b0c490f53a

SHA512
b1b04449608f8ee3d7a0667fe6ea5a133470a9210d8581bed54ddceb14b3db1065a15d0864856fc003428e28e6083691781fed9512da734c4e155ae10f1173c0

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
424KB

MD5
2aa85d1ae87b1656c48677eff22394a3

SHA1
f7c6dd8979da9937fe9331c72318fc106e05b48c

SHA256
9e68eacf78319bd694fede1d33b147ad487dec1dc73876638f5447d15aaf2931

SHA512
52843a5d2729d93804e5cac124ac2f3827e45d7a924896fc744cc1e57194b6e6b5a5a5e0cd1830553397faa90ec29364f0c1947a65c0297be99e5dbf0fb13728

Download Submit
C:\Windows\SysWOW64\Hdbfodfa.exe

Filesize
424KB

MD5
e81299c3d161a90c6159e8c5204a7626

SHA1
5d11242164514e01d13ecf87f8bc5fb83b6f6a66

SHA256
ca17cb0e17fba27115aa345a9f60a049da61855c42317545c47462477c0b9093

SHA512
1affada7191ed380175f2d75319ff3e01656274f3a45943941cb838cfc15abc7acfb4c3bfb90229f9765e53da90a7473a0f098741cab0a9f794a701291c38d00

Download Submit
C:\Windows\SysWOW64\Hfningai.exe

Filesize
424KB

MD5
e81299c3d161a90c6159e8c5204a7626

SHA1
5d11242164514e01d13ecf87f8bc5fb83b6f6a66

SHA256
ca17cb0e17fba27115aa345a9f60a049da61855c42317545c47462477c0b9093

SHA512
1affada7191ed380175f2d75319ff3e01656274f3a45943941cb838cfc15abc7acfb4c3bfb90229f9765e53da90a7473a0f098741cab0a9f794a701291c38d00

Download Submit
C:\Windows\SysWOW64\Hhknpmma.exe

Filesize
424KB

MD5
befc8309f41d6ea8084a81976b459419

SHA1
9c66f7dde30ec6e8dbf95109809e0254f20f9372

SHA256
3123f7b310be96ca19b8e92a131e81fb9659367d92b7d0d7ca78130b96aa61d4

SHA512
1b6087258ff4f0a0ca3fd835b444316a9b0224418ec76c2cb202c52d84154d4780aa70dd5634d36b1adf6dd1d5956f1b85bb2a27873f2cc2b83a3a7df7ea9c91

Download Submit
C:\Windows\SysWOW64\Ikejgf32.exe

Filesize
424KB

MD5
a2265568b9eaaa8b20cdcef8ca1ee810

SHA1
4e9774be2bdb386e9230452959464f2920f2fd54

SHA256
fcf0f4375ff5396d1fc8200285cb3f7306fa44a1cc1ea9c3047284426cdff509

SHA512
1830e2fccf63671401720991ed8c7d2caa4c72942345c956ec026a4b0a427e4b0be1802892b6d54e167cf7cbbb33b98e703e8edfdf03986e47d8f9519dc7465d

Download Submit
C:\Windows\SysWOW64\Ipflihfq.exe

Filesize
424KB

MD5
0e7d4fbf7a998c8d33c4c3ca3e417317

SHA1
21a8d609a8de527b3358a0c1c5416c4d2aafe93c

SHA256
02b4b87031fd4281ee9b3822efbe8e02c96ede14e8cab2d3162cce2279eb6077

SHA512
fbeef4c8d9ded90fb2d18ba6a8d2275f5e0a8159ffc9849a8627a361fdcf5704eb7962b3aea45dab7e5fb980ff73765f869bd087aa3a8aad43a9a75c972657d1

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
424KB

MD5
cf5ac228559c2bad63c42ae6d155b30d

SHA1
037c7b696ceb2a8cb14dd54f9c0e36c67c322232

SHA256
69bff47d56b5f4cbab35e172e414060653364f62bbd9eeb267aa20edd0638a90

SHA512
586805c0228e5c6303f0fd2b4ba3da39176086d3882b88e916587ca2900b996d9a43f859a9ea9dff5be14794257965e6de5858342a18a62ddb2541344c988c0e

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
424KB

MD5
cf5ac228559c2bad63c42ae6d155b30d

SHA1
037c7b696ceb2a8cb14dd54f9c0e36c67c322232

SHA256
69bff47d56b5f4cbab35e172e414060653364f62bbd9eeb267aa20edd0638a90

SHA512
586805c0228e5c6303f0fd2b4ba3da39176086d3882b88e916587ca2900b996d9a43f859a9ea9dff5be14794257965e6de5858342a18a62ddb2541344c988c0e

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
424KB

MD5
b6346c9ecdc7814b26b2c66fabde78ff

SHA1
90a1a8082bf5dd412846dac07babe9e7b97f3aeb

SHA256
3121b3816f6b08ff9bcf342bf081bacd505d3f0c5e3cbac14e763a8bfb791ac6

SHA512
5508a3781ad414afdb9a47d8415d447f82b1ec4c6c6574e4586856d76e04256e896baadb4f7bd4f3ba68eaa9c925d777cb7ca6f5745892039483c478e3c6527d

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
424KB

MD5
b6346c9ecdc7814b26b2c66fabde78ff

SHA1
90a1a8082bf5dd412846dac07babe9e7b97f3aeb

SHA256
3121b3816f6b08ff9bcf342bf081bacd505d3f0c5e3cbac14e763a8bfb791ac6

SHA512
5508a3781ad414afdb9a47d8415d447f82b1ec4c6c6574e4586856d76e04256e896baadb4f7bd4f3ba68eaa9c925d777cb7ca6f5745892039483c478e3c6527d

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
424KB

MD5
7d02a5f850040121ec60a8ec106c2cec

SHA1
cb9cf10431c6439f06dd851038d71be4c28a6786

SHA256
ba8320c1645d6e8ba944f7ce18d842a5425f88927a09f4a83d8338e3215c1698

SHA512
0882704d79b5d748985ad7693dc6b87cd40ab81ae8d3f975517993a311b728f1955120f59eb9a5af3520d265ed96a4cb3f916cb50e6284e68462abb5b5733acc

Download Submit
C:\Windows\SysWOW64\Jgcamf32.exe

Filesize
424KB

MD5
9dab5621cf41706e67a6ef82a92e14c3

SHA1
584bae9b0ce719439e2873ffcb09d2be5cf3d274

SHA256
e413c97515b57812bffbf6b530d43d9fcc98e30181d90893cef9a385ce929fc1

SHA512
50f378d97231ee41a358189fd86417eabefac90b4bd8da600c090b66c9b0eced10707bef3adafbfb8be52e8407c599910f69cf97c0a938c847d15e9faa7f488c

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
424KB

MD5
ad9e226b0c17f9b99f82d57cfeb0dfe8

SHA1
807870b8be09e3df231c347b87a75c095d35980c

SHA256
233cb6846c402b9b5bc6c1448e62f96ccc79d689101c0eecbcd6631f4b55a556

SHA512
8c93fd09010b2f20f4b7e9dfff25c32bf3e9e6b576191ac6dce03b38cd8d20cefaecd71404c9415810b5cdaae90beafca20c6a0fea153264bea3036383aca220

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
424KB

MD5
ad9e226b0c17f9b99f82d57cfeb0dfe8

SHA1
807870b8be09e3df231c347b87a75c095d35980c

SHA256
233cb6846c402b9b5bc6c1448e62f96ccc79d689101c0eecbcd6631f4b55a556

SHA512
8c93fd09010b2f20f4b7e9dfff25c32bf3e9e6b576191ac6dce03b38cd8d20cefaecd71404c9415810b5cdaae90beafca20c6a0fea153264bea3036383aca220

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
424KB

MD5
59703feb614b8da79cb2038cdbafb6fe

SHA1
5846a083be24e3117c14ea2ebc854242f6dbb8d0

SHA256
bad25ca424dcaf3eec395b52732877b2d8125671a686a9c240d0a2c1cd11c241

SHA512
c6665f25504c5705f30fdeea2c18852d9b256d69c7b26f6c66c3f14e84dd35155eb7073d990756196d5a505329404ee71dee88a2511bb7a63e236219b92bc2fd

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
424KB

MD5
59703feb614b8da79cb2038cdbafb6fe

SHA1
5846a083be24e3117c14ea2ebc854242f6dbb8d0

SHA256
bad25ca424dcaf3eec395b52732877b2d8125671a686a9c240d0a2c1cd11c241

SHA512
c6665f25504c5705f30fdeea2c18852d9b256d69c7b26f6c66c3f14e84dd35155eb7073d990756196d5a505329404ee71dee88a2511bb7a63e236219b92bc2fd

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
424KB

MD5
02db2ad2ddcda10cac94c716471692b7

SHA1
3cd43f6f20c83f63d7b1ba2bc41ff3be7e03749b

SHA256
2dc6fe68ec20258e1cc0b83f4b0a9b73b6251f514a1a66ca21d7fd83b145f0f9

SHA512
5288bfc94b1245840b74b1fa32d299d488f0eb4a80331d6ad898e150e837d49114586ab4e2a99e1095112f636b8abd5b771304eafd812c7baaada5bf8707c27d

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
424KB

MD5
02db2ad2ddcda10cac94c716471692b7

SHA1
3cd43f6f20c83f63d7b1ba2bc41ff3be7e03749b

SHA256
2dc6fe68ec20258e1cc0b83f4b0a9b73b6251f514a1a66ca21d7fd83b145f0f9

SHA512
5288bfc94b1245840b74b1fa32d299d488f0eb4a80331d6ad898e150e837d49114586ab4e2a99e1095112f636b8abd5b771304eafd812c7baaada5bf8707c27d

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
424KB

MD5
15caf3e754835600cfd56054425a85a6

SHA1
6abfc96816d615f5e7e36918edb34a2919391fad

SHA256
9988d7eb07fa6b121ad544e400a099daaf5bc9c430e26472d423b6055053449c

SHA512
9bdf0c28ea4fe88a687fdf8ac2f1978b63edc9ad3ef67c152a6e93b812f73d460d2699e09e6c935f15df4dd52521c02b57f8f635269825281644cd4e25bec6ff

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
424KB

MD5
15caf3e754835600cfd56054425a85a6

SHA1
6abfc96816d615f5e7e36918edb34a2919391fad

SHA256
9988d7eb07fa6b121ad544e400a099daaf5bc9c430e26472d423b6055053449c

SHA512
9bdf0c28ea4fe88a687fdf8ac2f1978b63edc9ad3ef67c152a6e93b812f73d460d2699e09e6c935f15df4dd52521c02b57f8f635269825281644cd4e25bec6ff

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
424KB

MD5
e2952a7a96e6765b344ad866de07b033

SHA1
415fd247abb2ec2053a99fb8cc4df6c15f28d3fa

SHA256
56a7cf45f2bedcb9b7c83d78f112ab064d249fb65c1d97a34a8033845ff078d6

SHA512
beb865334eb730b809b548c205cdb65c2f489c60bec832ad4e899f4343b44a2389a77f1cde934aa4ea11e61458221edeedcf8b92d31bb484f9b529e619289c92

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
424KB

MD5
e2952a7a96e6765b344ad866de07b033

SHA1
415fd247abb2ec2053a99fb8cc4df6c15f28d3fa

SHA256
56a7cf45f2bedcb9b7c83d78f112ab064d249fb65c1d97a34a8033845ff078d6

SHA512
beb865334eb730b809b548c205cdb65c2f489c60bec832ad4e899f4343b44a2389a77f1cde934aa4ea11e61458221edeedcf8b92d31bb484f9b529e619289c92

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
424KB

MD5
684ebcd98361003ff24cc6f140b12074

SHA1
7fd22cd21cb7672b9d30d286d0ef85964deb1d37

SHA256
4bafc0d913c24ea907b1230c39c8dd82784b7935c1170af9d50d01b92023d476

SHA512
0f47e04801a5127652730113d01c71dd1530709371ef9cbd0a692caea54d133ebe2d48cc02cb8a654c701dd18840592ea3d4c6d2981ad0df4cd3904eb311049f

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
424KB

MD5
386f0e0fb3d313dcbb4246bbf2098700

SHA1
80c92c61e7ca98eb3b0e76ad3fccb1f3c36d404c

SHA256
13cc2eda9e6fc11623f4f2047711834185ce59622a4582c75b535ecfcffe2ba9

SHA512
daf903e774e1b44e5d511e067665ecc89ff37b2351fec8f4a64cdf21d726cf6ea1bdb1a0db566c24dc4d55e1e98796662774019090f7b1d4689a17a92afcf658

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
424KB

MD5
386f0e0fb3d313dcbb4246bbf2098700

SHA1
80c92c61e7ca98eb3b0e76ad3fccb1f3c36d404c

SHA256
13cc2eda9e6fc11623f4f2047711834185ce59622a4582c75b535ecfcffe2ba9

SHA512
daf903e774e1b44e5d511e067665ecc89ff37b2351fec8f4a64cdf21d726cf6ea1bdb1a0db566c24dc4d55e1e98796662774019090f7b1d4689a17a92afcf658

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
424KB

MD5
fba47256e6956df71e50f8591dddf70a

SHA1
3573fb6f08e1fa0a1101b486edbbec6efc8ac417

SHA256
e72ffa45d68fbdc4c704c2ae1d63b8b3f5df46eea1baaea415f4e9a5f21973c7

SHA512
b4d26db6ae777243501211e643561e979b3389443949c9f7e5df5c828d355e2fe7d48fe59907c92d7b37b32a7ec94edd356f06167b6d3a426edfc5cb2310d3d5

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
424KB

MD5
fba47256e6956df71e50f8591dddf70a

SHA1
3573fb6f08e1fa0a1101b486edbbec6efc8ac417

SHA256
e72ffa45d68fbdc4c704c2ae1d63b8b3f5df46eea1baaea415f4e9a5f21973c7

SHA512
b4d26db6ae777243501211e643561e979b3389443949c9f7e5df5c828d355e2fe7d48fe59907c92d7b37b32a7ec94edd356f06167b6d3a426edfc5cb2310d3d5

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
424KB

MD5
b1362c826deaf74271b942f1606c876c

SHA1
644533bb20bef5bc55f47066fb439eb4f5ca1b15

SHA256
3995006c779cf596256e33fcb98c6fd97a5ce65a97def9d79172e0de8da31238

SHA512
5f4eaa5533447508f2ac3b590938109e919d3519a60f23d49cd49d90931210001cae658d7c0903a8dd57038861f8cf5e92373aa08a8feaac220781caf50d5849

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
424KB

MD5
b1362c826deaf74271b942f1606c876c

SHA1
644533bb20bef5bc55f47066fb439eb4f5ca1b15

SHA256
3995006c779cf596256e33fcb98c6fd97a5ce65a97def9d79172e0de8da31238

SHA512
5f4eaa5533447508f2ac3b590938109e919d3519a60f23d49cd49d90931210001cae658d7c0903a8dd57038861f8cf5e92373aa08a8feaac220781caf50d5849

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
424KB

MD5
8f29364b0e187c56354623bd15e5e353

SHA1
d6e226010825996637fa70f4d4c551456ab678d6

SHA256
b6d3973c0c66c6b85ab32b20efe65134ec629af757e0fe4f8d938d2cfe51b686

SHA512
27c600a369013d006bc95afffb5d160facbb9d3d733216d55f1660a5d1f3518cdf765902fb53c18ba855c4d340c8330ddde29becb83eb4fad9742983dbeebee6

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
424KB

MD5
8f29364b0e187c56354623bd15e5e353

SHA1
d6e226010825996637fa70f4d4c551456ab678d6

SHA256
b6d3973c0c66c6b85ab32b20efe65134ec629af757e0fe4f8d938d2cfe51b686

SHA512
27c600a369013d006bc95afffb5d160facbb9d3d733216d55f1660a5d1f3518cdf765902fb53c18ba855c4d340c8330ddde29becb83eb4fad9742983dbeebee6

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
424KB

MD5
b1d16477e21eb2cbfd70b761f5595f7e

SHA1
6e3313204d30b6d3e252e474487518d9de04b750

SHA256
1ce57abbcc2694f74a862c2bf2b7aa38dc0cd5a55d73282a7971cc101c146524

SHA512
b2fcb5775bc04f5a5962e1d2ac6d6fd4a6c71c462e8889e0f7e8e1e83cb0ebabcf0982fca05686e29a007f22de47f0dfd14665452073fd8da4a0bac464a54615

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
424KB

MD5
b1d16477e21eb2cbfd70b761f5595f7e

SHA1
6e3313204d30b6d3e252e474487518d9de04b750

SHA256
1ce57abbcc2694f74a862c2bf2b7aa38dc0cd5a55d73282a7971cc101c146524

SHA512
b2fcb5775bc04f5a5962e1d2ac6d6fd4a6c71c462e8889e0f7e8e1e83cb0ebabcf0982fca05686e29a007f22de47f0dfd14665452073fd8da4a0bac464a54615

Download Submit
C:\Windows\SysWOW64\Lldopb32.exe

Filesize
424KB

MD5
04c6a8544832b2d97c7b97a98ffd76eb

SHA1
3b170aaee5a433e882d8e03288ef5deca502d171

SHA256
0792547cc99a90af442e76980e2273f1c630e7ad58c4158f6c0e30bc9cab9dc2

SHA512
acdbf929f14722ecbde2d580ec77a40dd087ca50d85b45c8f6857f06f5331b9429a02c4d7585d63ce05dc4e923072b5f3e800918ac7acd56cdb39128b3b04a2a

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
424KB

MD5
bdaaa71749f3cd3b0b7885cf81e5e2e4

SHA1
38d6ec4e706783424dd458dedb60eb1c6db9fd14

SHA256
3f7afaefe75d9f10b4b1263c1f4a525da2efd8b183bb146891675eb979385fcc

SHA512
1d08bbfcd111f9aa99b3029dcf7ad2496bafe0f46671ee4ae70ccf9421f84815b444e8884b279d32c45cd255b47936b7ad81623158d35a4c0450bbb940a72fd6

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
424KB

MD5
352bb79ed9dec7e28266ed4c16654cbb

SHA1
a991a095922ef2447c72263ab071e7edc0de1275

SHA256
77fdfa4a3c4bde5e0dfca2f9949b8ddfb468f46a708a7a188bde2ffe4dbf6358

SHA512
c346ffd61df292abe718d3e9274e25e51646ffda1af9bcf09050d1c637a0c018e3015897bcaf178fb562f6a99aa97e67ed993fabfd134b42b7d2c3bf3730f64e

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
424KB

MD5
352bb79ed9dec7e28266ed4c16654cbb

SHA1
a991a095922ef2447c72263ab071e7edc0de1275

SHA256
77fdfa4a3c4bde5e0dfca2f9949b8ddfb468f46a708a7a188bde2ffe4dbf6358

SHA512
c346ffd61df292abe718d3e9274e25e51646ffda1af9bcf09050d1c637a0c018e3015897bcaf178fb562f6a99aa97e67ed993fabfd134b42b7d2c3bf3730f64e

Download Submit
C:\Windows\SysWOW64\Loglacfo.exe

Filesize
424KB

MD5
47172d5a8e88c13c6c7d01845e2bfb69

SHA1
e36cdfbf0860ae97361356623b3a1f7e900fd728

SHA256
8a653dd85f91220b10957f183d1d8a7b92c9162712d50f5884126ee4b0e99edd

SHA512
b5cde03c71dbc46a66f05fb287c0e434bfe85526d9a334282b0b36003e142ed55349058371040ea9d66bab8d3ba50bbd369eb670e262173780631ad1f31ddae7

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
424KB

MD5
7b7d730591c402d25fb43a75522ca06b

SHA1
4e5d3898f69cffc2ada2285ed3231a5d9003d063

SHA256
978e77d862a3d965cdc14aaf41462503ff97b78708bfb0eb94fec66c110f1b7c

SHA512
039008b2f3e5adf367ad0de3e10fb304f62b41febdd72f06c046e8106be3fa4305d10d41e9daabfca0108da07bf3bfbaaf29edf384eb33757d48d32dad7d8831

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
424KB

MD5
7b7d730591c402d25fb43a75522ca06b

SHA1
4e5d3898f69cffc2ada2285ed3231a5d9003d063

SHA256
978e77d862a3d965cdc14aaf41462503ff97b78708bfb0eb94fec66c110f1b7c

SHA512
039008b2f3e5adf367ad0de3e10fb304f62b41febdd72f06c046e8106be3fa4305d10d41e9daabfca0108da07bf3bfbaaf29edf384eb33757d48d32dad7d8831

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
424KB

MD5
0a46bb52b95f9aa8098b545450038d97

SHA1
7495a7c8005fba268fd55a392404a718173621d0

SHA256
acde09b028262a6fb26f9e62db68f8a482da3683f1012e43605962c2481c7ed5

SHA512
85c5a6ff22e7b0ccaf212d01df7c6f02acfb6cd65d971a485baf1c31c665bf8e0678b975ebaed1be05972b7f75b5a0b96f978d28ec4e43548f0e51192f2d230a

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
424KB

MD5
0a46bb52b95f9aa8098b545450038d97

SHA1
7495a7c8005fba268fd55a392404a718173621d0

SHA256
acde09b028262a6fb26f9e62db68f8a482da3683f1012e43605962c2481c7ed5

SHA512
85c5a6ff22e7b0ccaf212d01df7c6f02acfb6cd65d971a485baf1c31c665bf8e0678b975ebaed1be05972b7f75b5a0b96f978d28ec4e43548f0e51192f2d230a

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
424KB

MD5
ad8a6c74114bccfd333b2deb0e3b6330

SHA1
8914ac16637dd4a7eedd7e5c0eb06d14dab77b83

SHA256
4040d3db3fcceeff63bb3ddbc4ae5edeecb6eb9a37740578ffa4101ebca41d26

SHA512
8f46fe30af0b339ab8ea305291ebdc4d21145713a53094ce790ad19a8c6b972139e5fb6ee26a5bd04ea508aa3b51149cb80ac17c03b431f331fabe01f7f07bd5

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
424KB

MD5
ad8a6c74114bccfd333b2deb0e3b6330

SHA1
8914ac16637dd4a7eedd7e5c0eb06d14dab77b83

SHA256
4040d3db3fcceeff63bb3ddbc4ae5edeecb6eb9a37740578ffa4101ebca41d26

SHA512
8f46fe30af0b339ab8ea305291ebdc4d21145713a53094ce790ad19a8c6b972139e5fb6ee26a5bd04ea508aa3b51149cb80ac17c03b431f331fabe01f7f07bd5

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
424KB

MD5
ad8a6c74114bccfd333b2deb0e3b6330

SHA1
8914ac16637dd4a7eedd7e5c0eb06d14dab77b83

SHA256
4040d3db3fcceeff63bb3ddbc4ae5edeecb6eb9a37740578ffa4101ebca41d26

SHA512
8f46fe30af0b339ab8ea305291ebdc4d21145713a53094ce790ad19a8c6b972139e5fb6ee26a5bd04ea508aa3b51149cb80ac17c03b431f331fabe01f7f07bd5

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
424KB

MD5
24bf0542aa58d132c8d2332e208e97da

SHA1
3350a3190ee1e77d3cb8a7b9dd004f12e1f223ba

SHA256
71ef113f1dba89d3d9d7e0fc40348930d56ecd20af0eee77f343d83196855ae8

SHA512
39919333e31eb3975e0bc52b9a40c1915b08c61eb4c96283e6e4e9393dd3259f0d664058385b691cd65632e73041b008dca411a27074592fff0d3b9b5b3458ce

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
424KB

MD5
24bf0542aa58d132c8d2332e208e97da

SHA1
3350a3190ee1e77d3cb8a7b9dd004f12e1f223ba

SHA256
71ef113f1dba89d3d9d7e0fc40348930d56ecd20af0eee77f343d83196855ae8

SHA512
39919333e31eb3975e0bc52b9a40c1915b08c61eb4c96283e6e4e9393dd3259f0d664058385b691cd65632e73041b008dca411a27074592fff0d3b9b5b3458ce

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
424KB

MD5
ce81bf8bc8d04ff7a218188a2666de32

SHA1
1e00ac45b84cf0fb12b9dfdf76e6d0d398d20305

SHA256
bd756dc145918c359547584b73532c055201cd3ff51e0969a8ee9aad0a1f3029

SHA512
50bcf0e368ce35ced25381520b20416bb64efa63deec8497a52c6d0224b5471ea8bfa5445f982633632898aa82f5ee332007f07ce5b921b4db5e20119926a63f

Download Submit
C:\Windows\SysWOW64\Mpghkf32.exe

Filesize
424KB

MD5
a3a8dc52c7817e875a8441aaff778f8c

SHA1
817b661751bd011fd9b84befe73c1490243b1e04

SHA256
50d38e5446f244389dbae209fc32842a49f596daec2b626911087629c1a4e123

SHA512
0b5b2355c7d9a27568ff35f873cd2797aef97d2369fb3d2cc4df5d01f8a359190a995f29eeb9b65b973977620d8a9788083e128de08dbd854a1787b1be27604c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
424KB

MD5
195f57d7bbfffb380283557debca8576

SHA1
795a944ec95f014753913b4b714c2f032baa2a48

SHA256
d7b7ad647a966e420365ccd5355eb96de965f63d5ec218a31c22ec4d54312011

SHA512
5e6a3abe0d3fc72170edb3e9785ea27c5aabeb456f7a43b490b3fbd69fbb2277745b7f6cc2c2b07c1053e58d2e48927f0e27c6d04d8c4de046e775c4d6592a6c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
424KB

MD5
195f57d7bbfffb380283557debca8576

SHA1
795a944ec95f014753913b4b714c2f032baa2a48

SHA256
d7b7ad647a966e420365ccd5355eb96de965f63d5ec218a31c22ec4d54312011

SHA512
5e6a3abe0d3fc72170edb3e9785ea27c5aabeb456f7a43b490b3fbd69fbb2277745b7f6cc2c2b07c1053e58d2e48927f0e27c6d04d8c4de046e775c4d6592a6c

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
424KB

MD5
10a8e50d6734f63801c7502b13b4a31b

SHA1
cac6564d8a95ddf38ac813c3557a7a33a898c146

SHA256
e0687fece17dd4f925cb5968cd91d88859d910ed4e39f50ae55a1bf27dbf4735

SHA512
00bed97865f4f40ef8c534fd89bb17cdc177ab5f1e4baf1dbed5e0b3eff72f9497823e16e7d63d4747815eaeb1086d4346d96899133f006a7f32bf388fe76ce1

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
424KB

MD5
10a8e50d6734f63801c7502b13b4a31b

SHA1
cac6564d8a95ddf38ac813c3557a7a33a898c146

SHA256
e0687fece17dd4f925cb5968cd91d88859d910ed4e39f50ae55a1bf27dbf4735

SHA512
00bed97865f4f40ef8c534fd89bb17cdc177ab5f1e4baf1dbed5e0b3eff72f9497823e16e7d63d4747815eaeb1086d4346d96899133f006a7f32bf388fe76ce1

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
424KB

MD5
752f7c1b3186ce0996c55b9f90e8e594

SHA1
a2ff55c20aca6190d120ab5f2ef9a87dce9d05dc

SHA256
207bb3d552cfba2e122244254ebd2fafc7251c20ba79d8f905a22204abb7a676

SHA512
5754d5152292200bfdaf64b903a0e51309bd9a323cd501f9a97155bd124e1113164e619ee473074a81d2a431fd0676e193c9910a77e1dd36a0760afe9773ebbb

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
424KB

MD5
752f7c1b3186ce0996c55b9f90e8e594

SHA1
a2ff55c20aca6190d120ab5f2ef9a87dce9d05dc

SHA256
207bb3d552cfba2e122244254ebd2fafc7251c20ba79d8f905a22204abb7a676

SHA512
5754d5152292200bfdaf64b903a0e51309bd9a323cd501f9a97155bd124e1113164e619ee473074a81d2a431fd0676e193c9910a77e1dd36a0760afe9773ebbb

Download Submit
C:\Windows\SysWOW64\Njfagf32.exe

Filesize
424KB

MD5
975ce100cc2b481c0948e8b9ec8318cf

SHA1
87d65e09985ac23629fbdf8f6b55d55ffc34e68a

SHA256
7a8dec4a7614dbde4b248eed18324f2887f93ea4875117de73807227850d974e

SHA512
c5d259536d15eea17c2b247f4434dee893e64a1e97d559e97a4e430217c4a632d31f67c2c5be584c1454f7bd2c0c2d173c3c9648beeea39acfc0981efd096bd6

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
424KB

MD5
fac223cf381fa18d47f28f08afe72c8e

SHA1
304143c900ed68ef576a80ca0896a8d2e693756f

SHA256
9b7d3809f7449d6db0bf0134e025039e06b9ff72cd08d2d44d8f4b469cc4969e

SHA512
7f8fef6d09b3536116e6e18ae7baa5232b223efa48e63f041e05a934402caf8269ca27bf8d320c31f39e079a49f013754a0e0aed76f6b180e18fce6e473b9c38

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
424KB

MD5
fac223cf381fa18d47f28f08afe72c8e

SHA1
304143c900ed68ef576a80ca0896a8d2e693756f

SHA256
9b7d3809f7449d6db0bf0134e025039e06b9ff72cd08d2d44d8f4b469cc4969e

SHA512
7f8fef6d09b3536116e6e18ae7baa5232b223efa48e63f041e05a934402caf8269ca27bf8d320c31f39e079a49f013754a0e0aed76f6b180e18fce6e473b9c38

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
424KB

MD5
912329e4449f3e755627db2dffded52b

SHA1
bbfb50faa0f93eeab8c6b914f71e9029dfcdc2dc

SHA256
0b667d11c381fb71fb3d3188bffac37e44330fc8cdacc867c4c9824766997df7

SHA512
4279e0624826c32e9eedcd28f0dfdf1b2971fd30774aeb42720d8bb328d62ecd7cedf16acb7caf05db8bd9794c86b16b40691aa8e06c1db360bf8c5ef9cc27c7

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
424KB

MD5
912329e4449f3e755627db2dffded52b

SHA1
bbfb50faa0f93eeab8c6b914f71e9029dfcdc2dc

SHA256
0b667d11c381fb71fb3d3188bffac37e44330fc8cdacc867c4c9824766997df7

SHA512
4279e0624826c32e9eedcd28f0dfdf1b2971fd30774aeb42720d8bb328d62ecd7cedf16acb7caf05db8bd9794c86b16b40691aa8e06c1db360bf8c5ef9cc27c7

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
424KB

MD5
4aab33d99625ca2630ef53652198be51

SHA1
d83d40c339858aee52b72dfc8f000db3246fde76

SHA256
f5a61ce8ecb26ff32ceedcbce94eab2f7ce5400a7756d2acb403bcf0e8ad9a8d

SHA512
2d58187d3aa3a1cdf3581f2336db346370bf7d8861bae8505159507f11963ee2535e4cfa593ab03246a500fcc96afb2efe7706fe753edd2e17598a410d5b7cb7

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
424KB

MD5
23e74f34c22f0edd95673686db07d77c

SHA1
2f855d7ea8e76713787b23e54a17385d12bde4cb

SHA256
3052137003504ee4e31f21db928442b2426cd924e82b3bbd9e467f009a8abb1b

SHA512
56507b77159dfb7b79b59028321d3afdae2a48e59b71582768e5c037ed39c58480e7388f2b0ae2f4212b2af5edcdbed9072305ef776719ba4d92802a28e19e85

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
424KB

MD5
23e74f34c22f0edd95673686db07d77c

SHA1
2f855d7ea8e76713787b23e54a17385d12bde4cb

SHA256
3052137003504ee4e31f21db928442b2426cd924e82b3bbd9e467f009a8abb1b

SHA512
56507b77159dfb7b79b59028321d3afdae2a48e59b71582768e5c037ed39c58480e7388f2b0ae2f4212b2af5edcdbed9072305ef776719ba4d92802a28e19e85

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
424KB

MD5
5fef24ae45b8dab76917031edcc102f9

SHA1
b145eb330577b7060702e6321aac08771c6b5e48

SHA256
e63d410b955f70a55421e5ecaf0fa4f3cf607764fa69f4de827d0b413cda5fd2

SHA512
9699de6438ede90a0d8d1b7114aba08396fc2db63b32c19b41fbb9da37d0553eacb397970e5f8a70a5d616c9200b0a863fc565d2635e2cd1967d77288082958b

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
424KB

MD5
5fef24ae45b8dab76917031edcc102f9

SHA1
b145eb330577b7060702e6321aac08771c6b5e48

SHA256
e63d410b955f70a55421e5ecaf0fa4f3cf607764fa69f4de827d0b413cda5fd2

SHA512
9699de6438ede90a0d8d1b7114aba08396fc2db63b32c19b41fbb9da37d0553eacb397970e5f8a70a5d616c9200b0a863fc565d2635e2cd1967d77288082958b

Download Submit
C:\Windows\SysWOW64\Ohmhmh32.exe

Filesize
424KB

MD5
e919b901711ce5c2b11f90b65517fa49

SHA1
ea608c0290276f07701de1ed312c3afa86c0cfce

SHA256
bf28c2a138653bdcf0c190f374392a50dd7281ee20fbc0c2fa590555075b9273

SHA512
ffff02f708589e8fcbe27836082865c1de409f31c0227597f05b6ea7c44a138e1a17223ab14fa91043e8263c99cd6dc503b65ba840e2cdfaa58eec2842031a72

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
424KB

MD5
c54cf698656eb2b3448d7493335f1c13

SHA1
24fd0877da954993fde93e51579eb798b49cdcd5

SHA256
18c500ecd736daa043920f217060f22618f5f558136fa57e9e7573039866f18e

SHA512
f485f92822b77b2a6dfbe1bd76612772d8a3c5279a4ee0494fe3030a939f14d39fb75ffdffab155f47bf5ad04a44aa2a35c9e5de9b9c88bc39613417c9154983

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
424KB

MD5
0cdfc56af477ed0133833385e4bdb72a

SHA1
eed029484e6d8d51742a5a3ee61d83e4a3b42e4a

SHA256
f95036ea3bd1d1c36f8314d0d4e6b7bf3b01e723a4acfc55a589fb4eb86805c5

SHA512
1d8f7aa6003c91743be81e4ced6441b8456d857d0da0f3efb43d118ca642ade237752ca57d5127ac5e539b189fe2367123610044115bd618fb70cf21b5e6e34f

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
424KB

MD5
0cdfc56af477ed0133833385e4bdb72a

SHA1
eed029484e6d8d51742a5a3ee61d83e4a3b42e4a

SHA256
f95036ea3bd1d1c36f8314d0d4e6b7bf3b01e723a4acfc55a589fb4eb86805c5

SHA512
1d8f7aa6003c91743be81e4ced6441b8456d857d0da0f3efb43d118ca642ade237752ca57d5127ac5e539b189fe2367123610044115bd618fb70cf21b5e6e34f

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
424KB

MD5
6605054c2a8c849b319dbc30cacb15d0

SHA1
6aac135eac5a9d9ef010282d70979a4bfc6ddace

SHA256
d41175682adda0ea191fbbf8aa1d947a676309498c96bdcf15af221a09822f94

SHA512
f4960ca28774e87e63843207f47a444e999d45b8932ffb40c9541de9d4735763c737f3debfae839b107dd28fd72887c86bdc07e090f115fb476ffa14ec77cf9c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
424KB

MD5
6605054c2a8c849b319dbc30cacb15d0

SHA1
6aac135eac5a9d9ef010282d70979a4bfc6ddace

SHA256
d41175682adda0ea191fbbf8aa1d947a676309498c96bdcf15af221a09822f94

SHA512
f4960ca28774e87e63843207f47a444e999d45b8932ffb40c9541de9d4735763c737f3debfae839b107dd28fd72887c86bdc07e090f115fb476ffa14ec77cf9c

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
424KB

MD5
895a385887e1fcaddb8e09def6e32504

SHA1
277d376e4a080a7c10f536faccb698f2bef8fad0

SHA256
c45efd5db2296bbdef91b7751e362e9710a307f0dbe4fed5df14724c05218e0a

SHA512
da2dda4ba781979702266c6dd3ef7f8144bbb19547dc9fbbcd06338b76d0bd84ea83ddd09ad05d5600f7ecbb5ca9f52fa5b9d5a03a69ed4efe2b7322d4816a8d

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
424KB

MD5
895a385887e1fcaddb8e09def6e32504

SHA1
277d376e4a080a7c10f536faccb698f2bef8fad0

SHA256
c45efd5db2296bbdef91b7751e362e9710a307f0dbe4fed5df14724c05218e0a

SHA512
da2dda4ba781979702266c6dd3ef7f8144bbb19547dc9fbbcd06338b76d0bd84ea83ddd09ad05d5600f7ecbb5ca9f52fa5b9d5a03a69ed4efe2b7322d4816a8d

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
424KB

MD5
133417fdd03652a990740c90c9d1ae8b

SHA1
e3525fc048c75979c331a49cd83e3c994b2458db

SHA256
76310cfd87782ed3bec75df13b00ae6901a8efdf0bf22ef895907835d3fafb35

SHA512
4d6ae4c25abf81ffe669bc2483b168d860ddd77e3c9f7c75c60c1158706d5864df999295b92ddb51cca125e9f9d9345595cd6af2a2fe48d28023a5436e1c1269

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
424KB

MD5
133417fdd03652a990740c90c9d1ae8b

SHA1
e3525fc048c75979c331a49cd83e3c994b2458db

SHA256
76310cfd87782ed3bec75df13b00ae6901a8efdf0bf22ef895907835d3fafb35

SHA512
4d6ae4c25abf81ffe669bc2483b168d860ddd77e3c9f7c75c60c1158706d5864df999295b92ddb51cca125e9f9d9345595cd6af2a2fe48d28023a5436e1c1269

Download Submit
C:\Windows\SysWOW64\Pdkoch32.exe

Filesize
320KB

MD5
218b0e964654a65a293666135e662254

SHA1
218ee2bed505d87e6583c847954a0d906888a7d6

SHA256
a871e367643ffcd2b403389e64a689716752ff894fd484fbb9f0db73f188b510

SHA512
604d77a4a4e1b6b18b946948bac23164519c568d90597849b854fc0220899b150d18ac40d68ea686d4c2bf3ad8ad456acfdcb3bf15c0cd027111727afe4855c6

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
424KB

MD5
9107eb32acb56af48a073f52f1323ed6

SHA1
c6277597518159d3fe77294f00840e16f5c24992

SHA256
9a044022f13b3766ab6310d72371b8cb967df3ef8af55f3ddb8f80a37810396d

SHA512
d1071ad09d9266fcc056e32fcc3505e9aee70369c87e76fb662f6f26df1778ff56712e67e50e1c04ab17a58cdd70588d8bb37d51cea237abccf8755684c5554a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
424KB

MD5
9107eb32acb56af48a073f52f1323ed6

SHA1
c6277597518159d3fe77294f00840e16f5c24992

SHA256
9a044022f13b3766ab6310d72371b8cb967df3ef8af55f3ddb8f80a37810396d

SHA512
d1071ad09d9266fcc056e32fcc3505e9aee70369c87e76fb662f6f26df1778ff56712e67e50e1c04ab17a58cdd70588d8bb37d51cea237abccf8755684c5554a

Download Submit
C:\Windows\SysWOW64\Plbmokop.exe

Filesize
424KB

MD5
b110a87eb4153f4f51b999c9c846188b

SHA1
ca4653ce49e3c8297e09067ef3ffc99ae9a36f3b

SHA256
421f300527befc4a8b08c1ce528765e8b7ccfc67331f36fca92240c96d056aba

SHA512
0e4b244d651896bc570d3423a44e06d090acdce12faf6fa70430cc996b9a7e50cbaa02d3e7c3226baf0091494836e616700c71acfcf644e797cbf5e25303bcb6

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
424KB

MD5
1a0e3f1cd8430655b61f3c55d4d6e0d5

SHA1
0c36b0ac42c3e02e156fe66a3a7816f4b7972ff9

SHA256
087183562b20d30178e49da24bb070ce230efd20adec27f94b5121ee5d18f24c

SHA512
bb3a6f9d8dad628db964733312ec0f55781fc4570c891bdc7cf547cfb11094aee8257c2598897a7fbcf350dac1d4a0d61535fb0dfcefbf4e568544456e66382b

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
424KB

MD5
1a0e3f1cd8430655b61f3c55d4d6e0d5

SHA1
0c36b0ac42c3e02e156fe66a3a7816f4b7972ff9

SHA256
087183562b20d30178e49da24bb070ce230efd20adec27f94b5121ee5d18f24c

SHA512
bb3a6f9d8dad628db964733312ec0f55781fc4570c891bdc7cf547cfb11094aee8257c2598897a7fbcf350dac1d4a0d61535fb0dfcefbf4e568544456e66382b

Download Submit
C:\Windows\SysWOW64\Pmoiqneg.exe

Filesize
424KB

MD5
294475075ec02d78d453238d1c16f479

SHA1
b74f9f131ca1afcbd9b239664e7447e62ab634d3

SHA256
1ffb6b461f1914f3dc33739e69efafeab945e7b7f7c334254010bad9855b1990

SHA512
51b2993c687ef16799a4ed819d5e51c00e6ba72bfab243e31e4c47e22e0cbbac59fc82aed60358e4eb534cb4ee1f4642e6b8e3508df50e24a2cadd22b341c7ef

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
424KB

MD5
317f9cc568e6d5282a3f27ca4f988a8b

SHA1
bba3edce7a245051f5edbed4c266e9d60f645525

SHA256
bed55b6305be5d304179a29be579c4f04d5539f39759a751ed905ebfc7bd5028

SHA512
26f5f129c975739246a9ffefc9e89d904e8dd505ae4d41b66781ef7a21d8827c59d1567e4e99652dac6c7daf8bce4931314881b7f0f696bc06e66b95928df30a

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
424KB

MD5
2d3ae01bd8e968b6755df68b62b9921a

SHA1
0257d99a372dae18bee2bf0ec7b23239451cb631

SHA256
f5df05e65f688a9e1cf3d5cefd2b7d32d7c325a35ca6d038452d5243cd59b0b3

SHA512
62417bd527ee3b13d8914ae92bfa1d3ffe1a6f8baa4c6da510da29954b25345281969f6662d31623785607647544281b42c30318df5e6bc720028f31e08bac12

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
424KB

MD5
2d3ae01bd8e968b6755df68b62b9921a

SHA1
0257d99a372dae18bee2bf0ec7b23239451cb631

SHA256
f5df05e65f688a9e1cf3d5cefd2b7d32d7c325a35ca6d038452d5243cd59b0b3

SHA512
62417bd527ee3b13d8914ae92bfa1d3ffe1a6f8baa4c6da510da29954b25345281969f6662d31623785607647544281b42c30318df5e6bc720028f31e08bac12

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
424KB

MD5
506ba9843679e22461349abc8aa1b3d4

SHA1
aea58b2d5faa005319b891003ebd8492a92fe300

SHA256
6c6e448493d2fafc327896507959e5f944a565fc9cc8f9e6a46f72ca3f7991d6

SHA512
b494c6fab885fcbeee8b6e8beb65d10b893ad5b2e58e271ef31430f68954ccbf4245f8a9331d4d908d38828e2f24d51ba6fd8581d5f0a484b23f93b1a33dd232

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
424KB

MD5
506ba9843679e22461349abc8aa1b3d4

SHA1
aea58b2d5faa005319b891003ebd8492a92fe300

SHA256
6c6e448493d2fafc327896507959e5f944a565fc9cc8f9e6a46f72ca3f7991d6

SHA512
b494c6fab885fcbeee8b6e8beb65d10b893ad5b2e58e271ef31430f68954ccbf4245f8a9331d4d908d38828e2f24d51ba6fd8581d5f0a484b23f93b1a33dd232

Download Submit
memory/328-255-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/432-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/452-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/516-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/756-365-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1268-293-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1320-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1464-371-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1704-401-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1764-353-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1852-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2032-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2056-317-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2064-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2100-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2124-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2192-419-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2548-239-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-335-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2864-347-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-199-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3060-148-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3288-299-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3332-223-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3340-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3404-341-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3420-383-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3496-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3512-417-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3592-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3692-377-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3708-407-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3956-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3960-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4060-389-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4132-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4220-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4236-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4244-425-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4320-323-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4348-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4352-24-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4380-305-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4420-443-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4428-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4432-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4496-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4508-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4544-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4560-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4672-191-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4680-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4704-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4736-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4740-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4756-215-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4796-329-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4804-437-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4828-311-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4912-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4924-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4960-359-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5008-431-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5032-395-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads