fb9d22789d9471be012c2b538ecb79a09f8c9f829f473fd18329ed5d26a09db2

Analysis

max time kernel
98s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5215d9e03637d988489ace787edd7420.exe
Size

1.9MB
MD5

5215d9e03637d988489ace787edd7420
SHA1

5961a323a588cad33005658d5b8a03cda7318284
SHA256

fb9d22789d9471be012c2b538ecb79a09f8c9f829f473fd18329ed5d26a09db2
SHA512

fad8ee7254005c3bf359e395005faa6c1b80152071bdfc4196c44cf3a124c630330c8c854f24c86792d93fae0e601cde43fe2fda2e8b3f4979426a5924b3fe3e
SSDEEP

24576:nl4/SNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:e1yj1yj3uOpyj1yjH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjfgealk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jondojna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpeelnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boanniao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndliin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjoqnei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cllkcbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmqoqbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmnkdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgalelin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfqmjajc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjejqcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohbbqme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqbpjmeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmflkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepmjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khifno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opgloh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cediab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogfkpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqpqghgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciqmjkno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfjljhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chphhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ganppk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhaeli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfhddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnbbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kafcadej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fafkoiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcfma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmock32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogfkpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgfjmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moomgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boanniao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnbdlkje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkigmiai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caapfnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmhaek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkfoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plocob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Godehbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klnkoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhofjbnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plimpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jglkfmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhijjll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppdjpcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihicah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koekpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnaco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahffqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddemi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnfdlpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjqfmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndaaj32.exe

Executes dropped EXE 64 IoCs

pid	Process
3716	Maaoaa32.exe
2356	Oklifdmi.exe
456	Ohdbkh32.exe
2052	Phpbffnp.exe
4500	Aijeme32.exe
1184	Bbbblhnc.exe
2648	Dlicflic.exe
5116	Fplnogmb.exe
412	Ghqeihbb.exe
1720	Hpcmfchg.exe
2452	Igieoleg.exe
1344	Jqmicpbj.exe
4384	Lpghfi32.exe
3948	Mabdlk32.exe
1584	Nkdlkope.exe
4028	Ophjdehd.exe
4752	Ppdjpcng.exe
2112	Qdflaa32.exe
540	Anjpeelk.exe
760	Bkhceh32.exe
2460	Ciqmjkno.exe
1776	Dlobmd32.exe
3484	Ejkenpnp.exe
4036	Fhflhcfa.exe
2920	Gkeakl32.exe
972	Hlnqln32.exe
2260	Jkomhhae.exe
2352	Kjqfmn32.exe
4612	Lcbmlbig.exe
408	Mminfech.exe
2908	Ndliin32.exe
764	Pbmffi32.exe
4528	Qdhalj32.exe
2984	Aljmal32.exe
4944	Bnobfn32.exe
3420	Cjflblll.exe
1900	Dmknog32.exe
3032	Dmnkdfce.exe
2184	Eegpkcbd.exe
4128	Eghimo32.exe
2716	Emdaee32.exe
4624	Ecafgo32.exe
3280	Feella32.exe
3824	Ghohdk32.exe
4004	Hmcfma32.exe
2240	Hdokok32.exe
3236	Hdahek32.exe
1312	Headon32.exe
1892	Iolfmcbb.exe
4440	Idkkki32.exe
1772	Ihicah32.exe
3000	Ieoapl32.exe
4212	Jlkfbe32.exe
224	Jkeloa32.exe
1492	Jdnqgg32.exe
4820	Kkjejqcl.exe
3260	Kbfjljhf.exe
4844	Kojkeogp.exe
2732	Klnkoc32.exe
1476	Lnbdlkje.exe
1796	Lndaaj32.exe
4188	Lnfngj32.exe
2220	Lkjoqnei.exe
4668	Lkmkfncf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oklifdmi.exe	Maaoaa32.exe
File created	C:\Windows\SysWOW64\Kolaqh32.exe	Kojdkhdd.exe
File opened for modification	C:\Windows\SysWOW64\Plfipakk.exe	Phhpic32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfhddn.exe	Kpeibdfp.exe
File created	C:\Windows\SysWOW64\Mllcocna.exe	Ddbfkh32.exe
File created	C:\Windows\SysWOW64\Elbffmlj.dll	Pjhlfb32.exe
File created	C:\Windows\SysWOW64\Gmlfldhi.dll	Moomgl32.exe
File opened for modification	C:\Windows\SysWOW64\Ihfpabbd.exe	Ikbphn32.exe
File created	C:\Windows\SysWOW64\Aaiemjgf.dll	Nojfic32.exe
File created	C:\Windows\SysWOW64\Nhdpic32.dll	Lkgdfb32.exe
File created	C:\Windows\SysWOW64\Blqnfcom.dll	Cliahf32.exe
File created	C:\Windows\SysWOW64\Lkmkfncf.exe	Lkjoqnei.exe
File opened for modification	C:\Windows\SysWOW64\Fafkoiji.exe	Hcmbnk32.exe
File created	C:\Windows\SysWOW64\Qoqbbhcm.dll	Poomom32.exe
File created	C:\Windows\SysWOW64\Cnochfnk.dll	Lpqioclc.exe
File created	C:\Windows\SysWOW64\Lcbmlbig.exe	Kjqfmn32.exe
File opened for modification	C:\Windows\SysWOW64\Bedgejbo.exe	Amibqhed.exe
File created	C:\Windows\SysWOW64\Jacnegep.exe	Idonlbff.exe
File created	C:\Windows\SysWOW64\Bghifmbc.dll	Ikndpm32.exe
File created	C:\Windows\SysWOW64\Habndbpf.exe	Hbanfk32.exe
File opened for modification	C:\Windows\SysWOW64\Obcled32.exe	Obqopddf.exe
File opened for modification	C:\Windows\SysWOW64\Gfaaebnj.exe	Gmimll32.exe
File created	C:\Windows\SysWOW64\Fabokoop.dll	Dmknog32.exe
File created	C:\Windows\SysWOW64\Epgobe32.dll	Idkkki32.exe
File created	C:\Windows\SysWOW64\Cllkcbnl.exe	Cljomc32.exe
File created	C:\Windows\SysWOW64\Ihfpabbd.exe	Ikbphn32.exe
File opened for modification	C:\Windows\SysWOW64\Bammeebe.exe	Bhdilold.exe
File created	C:\Windows\SysWOW64\Fcfhhk32.exe	Fafkoiji.exe
File created	C:\Windows\SysWOW64\Nophgffg.dll	Ogcnfheb.exe
File created	C:\Windows\SysWOW64\Nifnao32.exe	Nlbnhkqo.exe
File created	C:\Windows\SysWOW64\Bnpfnp32.dll	Kdbchp32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikhace.exe	Fjqgpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ifefbbdj.exe	Ieeihomg.exe
File opened for modification	C:\Windows\SysWOW64\Mlciobhj.exe	Mckefmai.exe
File created	C:\Windows\SysWOW64\Emdaee32.exe	Eghimo32.exe
File opened for modification	C:\Windows\SysWOW64\Kolaqh32.exe	Kojdkhdd.exe
File created	C:\Windows\SysWOW64\Cojgafon.dll	Ambgnl32.exe
File created	C:\Windows\SysWOW64\Eagnpn32.dll	Jlkfbe32.exe
File opened for modification	C:\Windows\SysWOW64\Cchikf32.exe	Cediab32.exe
File created	C:\Windows\SysWOW64\Ncihbaie.exe	Bfenncdp.exe
File opened for modification	C:\Windows\SysWOW64\Jlkfbe32.exe	Ieoapl32.exe
File created	C:\Windows\SysWOW64\Aifpoj32.exe	Ampojimo.exe
File created	C:\Windows\SysWOW64\Jipkpk32.dll	Fnofpqff.exe
File opened for modification	C:\Windows\SysWOW64\Nacboi32.exe	Ncbaabom.exe
File opened for modification	C:\Windows\SysWOW64\Qaegcb32.exe	Fimonh32.exe
File opened for modification	C:\Windows\SysWOW64\Kojdkhdd.exe	Kafcadej.exe
File created	C:\Windows\SysWOW64\Qdflaa32.exe	Ppdjpcng.exe
File created	C:\Windows\SysWOW64\Ampojimo.exe	Aploae32.exe
File created	C:\Windows\SysWOW64\Lbpecm32.dll	Ccipelcf.exe
File created	C:\Windows\SysWOW64\Habeni32.exe	Hdodeedi.exe
File opened for modification	C:\Windows\SysWOW64\Ncihbaie.exe	Bfenncdp.exe
File created	C:\Windows\SysWOW64\Iaobiplh.dll	Hdehho32.exe
File opened for modification	C:\Windows\SysWOW64\Imjddmpl.exe	Mqpqghgn.exe
File created	C:\Windows\SysWOW64\Mikjmhaq.exe	Llgjcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccipelcf.exe	Cjpllgme.exe
File created	C:\Windows\SysWOW64\Blcfhn32.dll	Jcplle32.exe
File opened for modification	C:\Windows\SysWOW64\Jognokdi.exe	Llpmhodc.exe
File created	C:\Windows\SysWOW64\Knndpffi.dll	Aploae32.exe
File opened for modification	C:\Windows\SysWOW64\Abngccbl.exe	Abkjnd32.exe
File created	C:\Windows\SysWOW64\Alfkli32.exe	Pkigmiai.exe
File created	C:\Windows\SysWOW64\Eegpkcbd.exe	Dmnkdfce.exe
File created	C:\Windows\SysWOW64\Eckogc32.exe	Ejbknnid.exe
File created	C:\Windows\SysWOW64\Ahffqk32.exe	Ajbegg32.exe
File created	C:\Windows\SysWOW64\Kjqfmn32.exe	Jkomhhae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	7008	WerFault.exe	845

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndliin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbhpkpn.dll"	Jdnqgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klnkoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbbhcm.dll"	Poomom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcmbnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcplle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plocob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlicne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jebfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijjpjqc.dll"	Phpbffnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbngino.dll"	Ieoapl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amdiei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danoae32.dll"	Amibqhed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ploobn32.dll"	Anjpeelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnoanl32.dll"	Ihicah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joikdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnnjedj.dll"	Lkmkfncf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebiogg32.dll"	Aoenbkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alfkli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Docmqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmaee32.dll"	Lpghfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjnokej.dll"	Hdokok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmbgm32.dll"	Oofacdaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deoabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngcfgbg.dll"	Alfkli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcmbnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmflkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egomanpl.dll"	Bhfogiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjfpfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeglogfo.dll"	Majoikof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emdaee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cllkcbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkolme32.dll"	Jognokdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbggd32.dll"	Mqkijnkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnihlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkndeo32.dll"	Ndliin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obqopddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjfgealk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fagjolao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idfkednq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieeihomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebifha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdqffaql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkmmbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.5215d9e03637d988489ace787edd7420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbbld32.dll"	Fceihh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbmge32.dll"	Nbjhph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqdoj32.dll"	Ggmock32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaafbp32.dll"	Nfeepdbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majoikof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieeihomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjccjpq.dll"	Jfcbcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbmlbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cediab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbjhph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddbfkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghkgkc.dll"	Joikdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdflaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amdiei32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3716	2160	NEAS.5215d9e03637d988489ace787edd7420.exe	91
PID 2160 wrote to memory of 3716	2160	NEAS.5215d9e03637d988489ace787edd7420.exe	91
PID 2160 wrote to memory of 3716	2160	NEAS.5215d9e03637d988489ace787edd7420.exe	91
PID 3716 wrote to memory of 2356	3716	Maaoaa32.exe	92
PID 3716 wrote to memory of 2356	3716	Maaoaa32.exe	92
PID 3716 wrote to memory of 2356	3716	Maaoaa32.exe	92
PID 2356 wrote to memory of 456	2356	Oklifdmi.exe	93
PID 2356 wrote to memory of 456	2356	Oklifdmi.exe	93
PID 2356 wrote to memory of 456	2356	Oklifdmi.exe	93
PID 456 wrote to memory of 2052	456	Ohdbkh32.exe	94
PID 456 wrote to memory of 2052	456	Ohdbkh32.exe	94
PID 456 wrote to memory of 2052	456	Ohdbkh32.exe	94
PID 2052 wrote to memory of 4500	2052	Phpbffnp.exe	95
PID 2052 wrote to memory of 4500	2052	Phpbffnp.exe	95
PID 2052 wrote to memory of 4500	2052	Phpbffnp.exe	95
PID 4500 wrote to memory of 1184	4500	Aijeme32.exe	96
PID 4500 wrote to memory of 1184	4500	Aijeme32.exe	96
PID 4500 wrote to memory of 1184	4500	Aijeme32.exe	96
PID 1184 wrote to memory of 2648	1184	Bbbblhnc.exe	97
PID 1184 wrote to memory of 2648	1184	Bbbblhnc.exe	97
PID 1184 wrote to memory of 2648	1184	Bbbblhnc.exe	97
PID 2648 wrote to memory of 5116	2648	Dlicflic.exe	98
PID 2648 wrote to memory of 5116	2648	Dlicflic.exe	98
PID 2648 wrote to memory of 5116	2648	Dlicflic.exe	98
PID 5116 wrote to memory of 412	5116	Fplnogmb.exe	99
PID 5116 wrote to memory of 412	5116	Fplnogmb.exe	99
PID 5116 wrote to memory of 412	5116	Fplnogmb.exe	99
PID 412 wrote to memory of 1720	412	Ghqeihbb.exe	100
PID 412 wrote to memory of 1720	412	Ghqeihbb.exe	100
PID 412 wrote to memory of 1720	412	Ghqeihbb.exe	100
PID 1720 wrote to memory of 2452	1720	Hpcmfchg.exe	101
PID 1720 wrote to memory of 2452	1720	Hpcmfchg.exe	101
PID 1720 wrote to memory of 2452	1720	Hpcmfchg.exe	101
PID 2452 wrote to memory of 1344	2452	Igieoleg.exe	102
PID 2452 wrote to memory of 1344	2452	Igieoleg.exe	102
PID 2452 wrote to memory of 1344	2452	Igieoleg.exe	102
PID 1344 wrote to memory of 4384	1344	Jqmicpbj.exe	103
PID 1344 wrote to memory of 4384	1344	Jqmicpbj.exe	103
PID 1344 wrote to memory of 4384	1344	Jqmicpbj.exe	103
PID 4384 wrote to memory of 3948	4384	Lpghfi32.exe	104
PID 4384 wrote to memory of 3948	4384	Lpghfi32.exe	104
PID 4384 wrote to memory of 3948	4384	Lpghfi32.exe	104
PID 3948 wrote to memory of 1584	3948	Mabdlk32.exe	105
PID 3948 wrote to memory of 1584	3948	Mabdlk32.exe	105
PID 3948 wrote to memory of 1584	3948	Mabdlk32.exe	105
PID 1584 wrote to memory of 4028	1584	Nkdlkope.exe	107
PID 1584 wrote to memory of 4028	1584	Nkdlkope.exe	107
PID 1584 wrote to memory of 4028	1584	Nkdlkope.exe	107
PID 4028 wrote to memory of 4752	4028	Ophjdehd.exe	108
PID 4028 wrote to memory of 4752	4028	Ophjdehd.exe	108
PID 4028 wrote to memory of 4752	4028	Ophjdehd.exe	108
PID 4752 wrote to memory of 2112	4752	Ppdjpcng.exe	110
PID 4752 wrote to memory of 2112	4752	Ppdjpcng.exe	110
PID 4752 wrote to memory of 2112	4752	Ppdjpcng.exe	110
PID 2112 wrote to memory of 540	2112	Qdflaa32.exe	111
PID 2112 wrote to memory of 540	2112	Qdflaa32.exe	111
PID 2112 wrote to memory of 540	2112	Qdflaa32.exe	111
PID 540 wrote to memory of 760	540	Anjpeelk.exe	112
PID 540 wrote to memory of 760	540	Anjpeelk.exe	112
PID 540 wrote to memory of 760	540	Anjpeelk.exe	112
PID 760 wrote to memory of 2460	760	Bkhceh32.exe	113
PID 760 wrote to memory of 2460	760	Bkhceh32.exe	113
PID 760 wrote to memory of 2460	760	Bkhceh32.exe	113
PID 2460 wrote to memory of 1776	2460	Ciqmjkno.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.5215d9e03637d988489ace787edd7420.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5215d9e03637d988489ace787edd7420.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Maaoaa32.exe
  C:\Windows\system32\Maaoaa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\Oklifdmi.exe
    C:\Windows\system32\Oklifdmi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Ohdbkh32.exe
      C:\Windows\system32\Ohdbkh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\Phpbffnp.exe
        
        C:\Windows\system32\Phpbffnp.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\SysWOW64\Aijeme32.exe
        
        C:\Windows\system32\Aijeme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Bbbblhnc.exe
        
        C:\Windows\system32\Bbbblhnc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Fplnogmb.exe
        
        C:\Windows\system32\Fplnogmb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Ghqeihbb.exe
        
        C:\Windows\system32\Ghqeihbb.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Hpcmfchg.exe
        
        C:\Windows\system32\Hpcmfchg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Igieoleg.exe
        
        C:\Windows\system32\Igieoleg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Jqmicpbj.exe
        
        C:\Windows\system32\Jqmicpbj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Lpghfi32.exe
        
        C:\Windows\system32\Lpghfi32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Mabdlk32.exe
        
        C:\Windows\system32\Mabdlk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ciqmjkno.exe
        
        C:\Windows\system32\Ciqmjkno.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        23⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Ejkenpnp.exe
        
        C:\Windows\system32\Ejkenpnp.exe
        24⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Fhflhcfa.exe
        
        C:\Windows\system32\Fhflhcfa.exe
        25⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        26⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Hlnqln32.exe
        
        C:\Windows\system32\Hlnqln32.exe
        27⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Jkomhhae.exe
        
        C:\Windows\system32\Jkomhhae.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Kjqfmn32.exe
        
        C:\Windows\system32\Kjqfmn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Lcbmlbig.exe
        
        C:\Windows\system32\Lcbmlbig.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mminfech.exe
        
        C:\Windows\system32\Mminfech.exe
        31⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Ndliin32.exe
        
        C:\Windows\system32\Ndliin32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Pbmffi32.exe
        
        C:\Windows\system32\Pbmffi32.exe
        33⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Qdhalj32.exe
        
        C:\Windows\system32\Qdhalj32.exe
        34⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Aljmal32.exe
        
        C:\Windows\system32\Aljmal32.exe
        35⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Bnobfn32.exe
        
        C:\Windows\system32\Bnobfn32.exe
        36⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Cjflblll.exe
        
        C:\Windows\system32\Cjflblll.exe
        37⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Dmknog32.exe
        
        C:\Windows\system32\Dmknog32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Dmnkdfce.exe
        
        C:\Windows\system32\Dmnkdfce.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Eegpkcbd.exe
        
        C:\Windows\system32\Eegpkcbd.exe
        40⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Eghimo32.exe
        
        C:\Windows\system32\Eghimo32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Emdaee32.exe
        
        C:\Windows\system32\Emdaee32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Ecafgo32.exe
        
        C:\Windows\system32\Ecafgo32.exe
        43⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Feella32.exe
        
        C:\Windows\system32\Feella32.exe
        44⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Ghohdk32.exe
        
        C:\Windows\system32\Ghohdk32.exe
        45⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Hmcfma32.exe
        
        C:\Windows\system32\Hmcfma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Hdokok32.exe
        
        C:\Windows\system32\Hdokok32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Hdahek32.exe
        
        C:\Windows\system32\Hdahek32.exe
        48⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Headon32.exe
        
        C:\Windows\system32\Headon32.exe
        49⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Iolfmcbb.exe
        
        C:\Windows\system32\Iolfmcbb.exe
        50⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Idkkki32.exe
        
        C:\Windows\system32\Idkkki32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ihicah32.exe
        
        C:\Windows\system32\Ihicah32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ieoapl32.exe
        
        C:\Windows\system32\Ieoapl32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Jlkfbe32.exe
        
        C:\Windows\system32\Jlkfbe32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Jkeloa32.exe
        
        C:\Windows\system32\Jkeloa32.exe
        55⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Jdnqgg32.exe
        
        C:\Windows\system32\Jdnqgg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Kkjejqcl.exe
        
        C:\Windows\system32\Kkjejqcl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Kbfjljhf.exe
        
        C:\Windows\system32\Kbfjljhf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Kojkeogp.exe
        
        C:\Windows\system32\Kojkeogp.exe
        59⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Klnkoc32.exe
        
        C:\Windows\system32\Klnkoc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Lnbdlkje.exe
        
        C:\Windows\system32\Lnbdlkje.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Lndaaj32.exe
        
        C:\Windows\system32\Lndaaj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Lnfngj32.exe
        
        C:\Windows\system32\Lnfngj32.exe
        63⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Lkjoqnei.exe
        
        C:\Windows\system32\Lkjoqnei.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Lkmkfncf.exe
        
        C:\Windows\system32\Lkmkfncf.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Miqlpbap.exe
        
        C:\Windows\system32\Miqlpbap.exe
        66⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Mmodfqhf.exe
        
        C:\Windows\system32\Mmodfqhf.exe
        67⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Moomgl32.exe
        
        C:\Windows\system32\Moomgl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Mkfnlmkl.exe
        
        C:\Windows\system32\Mkfnlmkl.exe
        69⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Mnggnh32.exe
        
        C:\Windows\system32\Mnggnh32.exe
        70⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Nnlqig32.exe
        
        C:\Windows\system32\Nnlqig32.exe
        71⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Nmmqgo32.exe
        
        C:\Windows\system32\Nmmqgo32.exe
        72⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Nfeepdbg.exe
        
        C:\Windows\system32\Nfeepdbg.exe
        73⤵
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Nlbnhkqo.exe
        
        C:\Windows\system32\Nlbnhkqo.exe
        74⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Nifnao32.exe
        
        C:\Windows\system32\Nifnao32.exe
        75⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Oemofpel.exe
        
        C:\Windows\system32\Oemofpel.exe
        76⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Obqopddf.exe
        
        C:\Windows\system32\Obqopddf.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Obcled32.exe
        
        C:\Windows\system32\Obcled32.exe
        78⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:524
        
        C:\Windows\SysWOW64\Pehnboko.exe
        
        C:\Windows\system32\Pehnboko.exe
        80⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Plimpg32.exe
        
        C:\Windows\system32\Plimpg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Qmkfoj32.exe
        
        C:\Windows\system32\Qmkfoj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Qfcjhphd.exe
        
        C:\Windows\system32\Qfcjhphd.exe
        83⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Aploae32.exe
        
        C:\Windows\system32\Aploae32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Ampojimo.exe
        
        C:\Windows\system32\Ampojimo.exe
        85⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Aifpoj32.exe
        
        C:\Windows\system32\Aifpoj32.exe
        86⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Abodhpic.exe
        
        C:\Windows\system32\Abodhpic.exe
        87⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Amdiei32.exe
        
        C:\Windows\system32\Amdiei32.exe
        88⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Aepmjk32.exe
        
        C:\Windows\system32\Aepmjk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Aohbbqme.exe
        
        C:\Windows\system32\Aohbbqme.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Amibqhed.exe
        
        C:\Windows\system32\Amibqhed.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Bedgejbo.exe
        
        C:\Windows\system32\Bedgejbo.exe
        92⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Boohcpgm.exe
        
        C:\Windows\system32\Boohcpgm.exe
        93⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Bjielh32.exe
        
        C:\Windows\system32\Bjielh32.exe
        94⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ccajdmin.exe
        
        C:\Windows\system32\Ccajdmin.exe
        95⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Cljomc32.exe
        
        C:\Windows\system32\Cljomc32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Cllkcbnl.exe
        
        C:\Windows\system32\Cllkcbnl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cjpllgme.exe
        
        C:\Windows\system32\Cjpllgme.exe
        98⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ccipelcf.exe
        
        C:\Windows\system32\Ccipelcf.exe
        99⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Cpmqoqbp.exe
        
        C:\Windows\system32\Cpmqoqbp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        101⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Dfnbbg32.exe
        
        C:\Windows\system32\Dfnbbg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3024
        
        C:\Windows\SysWOW64\Dgnolj32.exe
        
        C:\Windows\system32\Dgnolj32.exe
        103⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Dmmdjp32.exe
        
        C:\Windows\system32\Dmmdjp32.exe
        104⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Eonmkkmj.exe
        
        C:\Windows\system32\Eonmkkmj.exe
        105⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Enomic32.exe
        
        C:\Windows\system32\Enomic32.exe
        106⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Efjbne32.exe
        
        C:\Windows\system32\Efjbne32.exe
        107⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Eqdpfm32.exe
        
        C:\Windows\system32\Eqdpfm32.exe
        108⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Fceihh32.exe
        
        C:\Windows\system32\Fceihh32.exe
        109⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Fcgemhic.exe
        
        C:\Windows\system32\Fcgemhic.exe
        110⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Fnofpqff.exe
        
        C:\Windows\system32\Fnofpqff.exe
        111⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Fjfgealk.exe
        
        C:\Windows\system32\Fjfgealk.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Gfmhjb32.exe
        
        C:\Windows\system32\Gfmhjb32.exe
        113⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ggldde32.exe
        
        C:\Windows\system32\Ggldde32.exe
        114⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Gmimll32.exe
        
        C:\Windows\system32\Gmimll32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Gfaaebnj.exe
        
        C:\Windows\system32\Gfaaebnj.exe
        116⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Gpjfng32.exe
        
        C:\Windows\system32\Gpjfng32.exe
        117⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        118⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Hdodeedi.exe
        
        C:\Windows\system32\Hdodeedi.exe
        119⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Habeni32.exe
        
        C:\Windows\system32\Habeni32.exe
        120⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Haeadi32.exe
        
        C:\Windows\system32\Haeadi32.exe
        121⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Idfkednq.exe
        
        C:\Windows\system32\Idfkednq.exe
        122⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Iajkohmj.exe
        
        C:\Windows\system32\Iajkohmj.exe
        123⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Ikbphn32.exe
        
        C:\Windows\system32\Ikbphn32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Ihfpabbd.exe
        
        C:\Windows\system32\Ihfpabbd.exe
        125⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Idonlbff.exe
        
        C:\Windows\system32\Idonlbff.exe
        126⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Jacnegep.exe
        
        C:\Windows\system32\Jacnegep.exe
        127⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Jognokdi.exe
        
        C:\Windows\system32\Jognokdi.exe
        128⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Joikdk32.exe
        
        C:\Windows\system32\Joikdk32.exe
        129⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Jkplilgk.exe
        
        C:\Windows\system32\Jkplilgk.exe
        130⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Jondojna.exe
        
        C:\Windows\system32\Jondojna.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Jopaejlo.exe
        
        C:\Windows\system32\Jopaejlo.exe
        132⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Khifno32.exe
        
        C:\Windows\system32\Khifno32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Kaajfe32.exe
        
        C:\Windows\system32\Kaajfe32.exe
        134⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Kdbchp32.exe
        
        C:\Windows\system32\Kdbchp32.exe
        136⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Kafcadej.exe
        
        C:\Windows\system32\Kafcadej.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Kojdkhdd.exe
        
        C:\Windows\system32\Kojdkhdd.exe
        138⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Kolaqh32.exe
        
        C:\Windows\system32\Kolaqh32.exe
        139⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lhdeinhb.exe
        
        C:\Windows\system32\Lhdeinhb.exe
        140⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        141⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Ldnbdnlc.exe
        
        C:\Windows\system32\Ldnbdnlc.exe
        142⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Laacmbkm.exe
        
        C:\Windows\system32\Laacmbkm.exe
        143⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Lgnleiid.exe
        
        C:\Windows\system32\Lgnleiid.exe
        144⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lkldlgok.exe
        
        C:\Windows\system32\Lkldlgok.exe
        145⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mhpeelnd.exe
        
        C:\Windows\system32\Mhpeelnd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Mqkijnkp.exe
        
        C:\Windows\system32\Mqkijnkp.exe
        147⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Mkcjlf32.exe
        
        C:\Windows\system32\Mkcjlf32.exe
        148⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mqbpjmeg.exe
        
        C:\Windows\system32\Mqbpjmeg.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Nnfpcada.exe
        
        C:\Windows\system32\Nnfpcada.exe
        150⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Nkmmbe32.exe
        
        C:\Windows\system32\Nkmmbe32.exe
        151⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Nojfic32.exe
        
        C:\Windows\system32\Nojfic32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Nombnc32.exe
        
        C:\Windows\system32\Nombnc32.exe
        153⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Oooodcci.exe
        
        C:\Windows\system32\Oooodcci.exe
        154⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Ondleo32.exe
        
        C:\Windows\system32\Ondleo32.exe
        155⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Okhmnc32.exe
        
        C:\Windows\system32\Okhmnc32.exe
        156⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Ogoncd32.exe
        
        C:\Windows\system32\Ogoncd32.exe
        157⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Oiojmgcb.exe
        
        C:\Windows\system32\Oiojmgcb.exe
        158⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Obgofmjb.exe
        
        C:\Windows\system32\Obgofmjb.exe
        159⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Plocob32.exe
        
        C:\Windows\system32\Plocob32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Ppmleagi.exe
        
        C:\Windows\system32\Ppmleagi.exe
        161⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Phhpic32.exe
        
        C:\Windows\system32\Phhpic32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Plfipakk.exe
        
        C:\Windows\system32\Plfipakk.exe
        163⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Pbbnbkpe.exe
        
        C:\Windows\system32\Pbbnbkpe.exe
        164⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Qhofjbnl.exe
        
        C:\Windows\system32\Qhofjbnl.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Qiocde32.exe
        
        C:\Windows\system32\Qiocde32.exe
        166⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Ablahjhj.exe
        
        C:\Windows\system32\Ablahjhj.exe
        167⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Aldeap32.exe
        
        C:\Windows\system32\Aldeap32.exe
        168⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Aemjjeek.exe
        
        C:\Windows\system32\Aemjjeek.exe
        169⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Aoenbkll.exe
        
        C:\Windows\system32\Aoenbkll.exe
        170⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Ahnclp32.exe
        
        C:\Windows\system32\Ahnclp32.exe
        171⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Bafgdfim.exe
        
        C:\Windows\system32\Bafgdfim.exe
        172⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Bpggbm32.exe
        
        C:\Windows\system32\Bpggbm32.exe
        173⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Bbhqdhnm.exe
        
        C:\Windows\system32\Bbhqdhnm.exe
        174⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Bhdilold.exe
        
        C:\Windows\system32\Bhdilold.exe
        175⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Bammeebe.exe
        
        C:\Windows\system32\Bammeebe.exe
        176⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Boanniao.exe
        
        C:\Windows\system32\Boanniao.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Bppjhl32.exe
        
        C:\Windows\system32\Bppjhl32.exe
        178⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ciioaa32.exe
        
        C:\Windows\system32\Ciioaa32.exe
        179⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Ccacjgfb.exe
        
        C:\Windows\system32\Ccacjgfb.exe
        180⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Clihcm32.exe
        
        C:\Windows\system32\Clihcm32.exe
        181⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Chphhn32.exe
        
        C:\Windows\system32\Chphhn32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Cediab32.exe
        
        C:\Windows\system32\Cediab32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Cchikf32.exe
        
        C:\Windows\system32\Cchikf32.exe
        184⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Dcjfpfnh.exe
        
        C:\Windows\system32\Dcjfpfnh.exe
        185⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Dapcab32.exe
        
        C:\Windows\system32\Dapcab32.exe
        186⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Denlgq32.exe
        
        C:\Windows\system32\Denlgq32.exe
        187⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Dofpqfof.exe
        
        C:\Windows\system32\Dofpqfof.exe
        188⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Dhndil32.exe
        
        C:\Windows\system32\Dhndil32.exe
        189⤵
        
        PID:7116

C:\Windows\SysWOW64\Djnaco32.exe
C:\Windows\system32\Djnaco32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6240
- C:\Windows\SysWOW64\Ebifha32.exe
  C:\Windows\system32\Ebifha32.exe
  2⤵
  - Modifies registry class
  PID:6348
- - C:\Windows\SysWOW64\Ejbknnid.exe
    C:\Windows\system32\Ejbknnid.exe
    3⤵
    - Drops file in System32 directory
    PID:6480
  - - C:\Windows\SysWOW64\Eckogc32.exe
      C:\Windows\system32\Eckogc32.exe
      4⤵
      PID:4788
    - - C:\Windows\SysWOW64\Ebplhp32.exe
        
        C:\Windows\system32\Ebplhp32.exe
        5⤵
        
        PID:6752
      - C:\Windows\SysWOW64\Efnennjc.exe
        
        C:\Windows\system32\Efnennjc.exe
        6⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Fcdbmb32.exe
        
        C:\Windows\system32\Fcdbmb32.exe
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Fqhbgf32.exe
        
        C:\Windows\system32\Fqhbgf32.exe
        8⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Fjqgpl32.exe
        
        C:\Windows\system32\Fjqgpl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Fcikhace.exe
        
        C:\Windows\system32\Fcikhace.exe
        10⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Foplnb32.exe
        
        C:\Windows\system32\Foplnb32.exe
        11⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Gmclgghc.exe
        
        C:\Windows\system32\Gmclgghc.exe
        12⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Godehbed.exe
        
        C:\Windows\system32\Godehbed.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Gimjag32.exe
        
        C:\Windows\system32\Gimjag32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Gfqjkljn.exe
        
        C:\Windows\system32\Gfqjkljn.exe
        15⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Gcdkdpih.exe
        
        C:\Windows\system32\Gcdkdpih.exe
        16⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Gjapfjnb.exe
        
        C:\Windows\system32\Gjapfjnb.exe
        17⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Hjcllilo.exe
        
        C:\Windows\system32\Hjcllilo.exe
        18⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Hboaql32.exe
        
        C:\Windows\system32\Hboaql32.exe
        19⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Hbanfk32.exe
        
        C:\Windows\system32\Hbanfk32.exe
        20⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Habndbpf.exe
        
        C:\Windows\system32\Habndbpf.exe
        21⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Jbmfig32.exe
        
        C:\Windows\system32\Jbmfig32.exe
        22⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lgikpc32.exe
        
        C:\Windows\system32\Lgikpc32.exe
        23⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Lpapiipo.exe
        
        C:\Windows\system32\Lpapiipo.exe
        24⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Lkgdfb32.exe
        
        C:\Windows\system32\Lkgdfb32.exe
        25⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lcbikd32.exe
        
        C:\Windows\system32\Lcbikd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Lpfidh32.exe
        
        C:\Windows\system32\Lpfidh32.exe
        27⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Mnjjmmkc.exe
        
        C:\Windows\system32\Mnjjmmkc.exe
        28⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Mgbnfb32.exe
        
        C:\Windows\system32\Mgbnfb32.exe
        29⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Mdfopf32.exe
        
        C:\Windows\system32\Mdfopf32.exe
        30⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Majoikof.exe
        
        C:\Windows\system32\Majoikof.exe
        31⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ncbaabom.exe
        
        C:\Windows\system32\Ncbaabom.exe
        32⤵
        Drops file in System32 directory
        
        PID:7180
        
        C:\Windows\SysWOW64\Nacboi32.exe
        
        C:\Windows\system32\Nacboi32.exe
        33⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Nklfho32.exe
        
        C:\Windows\system32\Nklfho32.exe
        34⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Nkncno32.exe
        
        C:\Windows\system32\Nkncno32.exe
        35⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Ncihbaie.exe
        
        C:\Windows\system32\Ncihbaie.exe
        36⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Nbjhph32.exe
        
        C:\Windows\system32\Nbjhph32.exe
        37⤵
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Ojfmdk32.exe
        
        C:\Windows\system32\Ojfmdk32.exe
        38⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ojhijjll.exe
        
        C:\Windows\system32\Ojhijjll.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Onfbpi32.exe
        
        C:\Windows\system32\Onfbpi32.exe
        40⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Ognginic.exe
        
        C:\Windows\system32\Ognginic.exe
        41⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Odbgbb32.exe
        
        C:\Windows\system32\Odbgbb32.exe
        42⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Onklkhnn.exe
        
        C:\Windows\system32\Onklkhnn.exe
        43⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Pnmhqh32.exe
        
        C:\Windows\system32\Pnmhqh32.exe
        44⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Pclnon32.exe
        
        C:\Windows\system32\Pclnon32.exe
        45⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Pgjfdm32.exe
        
        C:\Windows\system32\Pgjfdm32.exe
        46⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Qaegcb32.exe
        
        C:\Windows\system32\Qaegcb32.exe
        47⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Qnihlf32.exe
        
        C:\Windows\system32\Qnihlf32.exe
        48⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Qgalelin.exe
        
        C:\Windows\system32\Qgalelin.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7956
        
        C:\Windows\SysWOW64\Aaianaoo.exe
        
        C:\Windows\system32\Aaianaoo.exe
        50⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Ajbegg32.exe
        
        C:\Windows\system32\Ajbegg32.exe
        51⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Ahffqk32.exe
        
        C:\Windows\system32\Ahffqk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8104
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        53⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\Abngccbl.exe
        
        C:\Windows\system32\Abngccbl.exe
        54⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Alfkli32.exe
        
        C:\Windows\system32\Alfkli32.exe
        55⤵
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Aenpeoom.exe
        
        C:\Windows\system32\Aenpeoom.exe
        56⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Baepjpea.exe
        
        C:\Windows\system32\Baepjpea.exe
        57⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Bhaeli32.exe
        
        C:\Windows\system32\Bhaeli32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7484
        
        C:\Windows\SysWOW64\Bajjeo32.exe
        
        C:\Windows\system32\Bajjeo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4612
        
        C:\Windows\SysWOW64\Bjbnndgl.exe
        
        C:\Windows\system32\Bjbnndgl.exe
        60⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Bhfogiff.exe
        
        C:\Windows\system32\Bhfogiff.exe
        61⤵
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Caapfnkd.exe
        
        C:\Windows\system32\Caapfnkd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7736
        
        C:\Windows\SysWOW64\Cbqlpabf.exe
        
        C:\Windows\system32\Cbqlpabf.exe
        63⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Cliahf32.exe
        
        C:\Windows\system32\Cliahf32.exe
        64⤵
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\Cddemi32.exe
        
        C:\Windows\system32\Cddemi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7940
        
        C:\Windows\SysWOW64\Cahffmel.exe
        
        C:\Windows\system32\Cahffmel.exe
        66⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Dhdkig32.exe
        
        C:\Windows\system32\Dhdkig32.exe
        67⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Dampal32.exe
        
        C:\Windows\system32\Dampal32.exe
        68⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Dbllkohi.exe
        
        C:\Windows\system32\Dbllkohi.exe
        69⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Docmqp32.exe
        
        C:\Windows\system32\Docmqp32.exe
        70⤵
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Dlgmjdlg.exe
        
        C:\Windows\system32\Dlgmjdlg.exe
        71⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Deoabj32.exe
        
        C:\Windows\system32\Deoabj32.exe
        72⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Dogfkpih.exe
        
        C:\Windows\system32\Dogfkpih.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7532
        
        C:\Windows\SysWOW64\Ekngqqol.exe
        
        C:\Windows\system32\Ekngqqol.exe
        74⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Ekqcfpmj.exe
        
        C:\Windows\system32\Ekqcfpmj.exe
        75⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Eehdii32.exe
        
        C:\Windows\system32\Eehdii32.exe
        76⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Eekanh32.exe
        
        C:\Windows\system32\Eekanh32.exe
        77⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Femndhgh.exe
        
        C:\Windows\system32\Femndhgh.exe
        78⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Ffpjihee.exe
        
        C:\Windows\system32\Ffpjihee.exe
        79⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Fafkoiji.exe
        
        C:\Windows\system32\Fafkoiji.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Fcfhhk32.exe
        
        C:\Windows\system32\Fcfhhk32.exe
        81⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Flnlaahl.exe
        
        C:\Windows\system32\Flnlaahl.exe
        82⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Fdiafc32.exe
        
        C:\Windows\system32\Fdiafc32.exe
        83⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Fckacknf.exe
        
        C:\Windows\system32\Fckacknf.exe
        84⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Imjddmpl.exe
        
        C:\Windows\system32\Imjddmpl.exe
        85⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Ieeihomg.exe
        
        C:\Windows\system32\Ieeihomg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Ifefbbdj.exe
        
        C:\Windows\system32\Ifefbbdj.exe
        87⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Ipmjkh32.exe
        
        C:\Windows\system32\Ipmjkh32.exe
        88⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Iihkjm32.exe
        
        C:\Windows\system32\Iihkjm32.exe
        89⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Jbqpbbfi.exe
        
        C:\Windows\system32\Jbqpbbfi.exe
        90⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Jcplle32.exe
        
        C:\Windows\system32\Jcplle32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Jmhaek32.exe
        
        C:\Windows\system32\Jmhaek32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1628
        
        C:\Windows\SysWOW64\Jmknkk32.exe
        
        C:\Windows\system32\Jmknkk32.exe
        93⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Jfcbcp32.exe
        
        C:\Windows\system32\Jfcbcp32.exe
        94⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Jcgbmd32.exe
        
        C:\Windows\system32\Jcgbmd32.exe
        95⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Jmpgfjmd.exe
        
        C:\Windows\system32\Jmpgfjmd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Kfhkop32.exe
        
        C:\Windows\system32\Kfhkop32.exe
        97⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Kppphe32.exe
        
        C:\Windows\system32\Kppphe32.exe
        98⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Kmdqai32.exe
        
        C:\Windows\system32\Kmdqai32.exe
        99⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Keoeel32.exe
        
        C:\Windows\system32\Keoeel32.exe
        100⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Kpeibdfp.exe
        
        C:\Windows\system32\Kpeibdfp.exe
        101⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Kpgfhddn.exe
        
        C:\Windows\system32\Kpgfhddn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Kipkaj32.exe
        
        C:\Windows\system32\Kipkaj32.exe
        103⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Lfckjnjh.exe
        
        C:\Windows\system32\Lfckjnjh.exe
        104⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Lbjlpo32.exe
        
        C:\Windows\system32\Lbjlpo32.exe
        105⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Lpnlicne.exe
        
        C:\Windows\system32\Lpnlicne.exe
        106⤵
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Lpqioclc.exe
        
        C:\Windows\system32\Lpqioclc.exe
        107⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Llgjcd32.exe
        
        C:\Windows\system32\Llgjcd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mikjmhaq.exe
        
        C:\Windows\system32\Mikjmhaq.exe
        109⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Mgokflpj.exe
        
        C:\Windows\system32\Mgokflpj.exe
        110⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Mllcocna.exe
        
        C:\Windows\system32\Mllcocna.exe
        111⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Medggidb.exe
        
        C:\Windows\system32\Medggidb.exe
        112⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Mgddal32.exe
        
        C:\Windows\system32\Mgddal32.exe
        113⤵
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Mckefmai.exe
        
        C:\Windows\system32\Mckefmai.exe
        114⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Mlciobhj.exe
        
        C:\Windows\system32\Mlciobhj.exe
        115⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Npabeq32.exe
        
        C:\Windows\system32\Npabeq32.exe
        116⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Npcokpln.exe
        
        C:\Windows\system32\Npcokpln.exe
        117⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Nebdighb.exe
        
        C:\Windows\system32\Nebdighb.exe
        118⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Ndcdfnpa.exe
        
        C:\Windows\system32\Ndcdfnpa.exe
        119⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Nloikqnl.exe
        
        C:\Windows\system32\Nloikqnl.exe
        120⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Pfeiedhm.exe
        
        C:\Windows\system32\Pfeiedhm.exe
        121⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Pjcbkbnc.exe
        
        C:\Windows\system32\Pjcbkbnc.exe
        122⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Pggbdgmm.exe
        
        C:\Windows\system32\Pggbdgmm.exe
        123⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Pdkcnklf.exe
        
        C:\Windows\system32\Pdkcnklf.exe
        124⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Pjhlfb32.exe
        
        C:\Windows\system32\Pjhlfb32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Qcppogqo.exe
        
        C:\Windows\system32\Qcppogqo.exe
        126⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Qnfdlpqd.exe
        
        C:\Windows\system32\Qnfdlpqd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Qgnief32.exe
        
        C:\Windows\system32\Qgnief32.exe
        128⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Aedfdjdl.exe
        
        C:\Windows\system32\Aedfdjdl.exe
        129⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Aegbji32.exe
        
        C:\Windows\system32\Aegbji32.exe
        130⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Ambgnl32.exe
        
        C:\Windows\system32\Ambgnl32.exe
        131⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Agjhadmh.exe
        
        C:\Windows\system32\Agjhadmh.exe
        132⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Bepeph32.exe
        
        C:\Windows\system32\Bepeph32.exe
        133⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Bnkgomnl.exe
        
        C:\Windows\system32\Bnkgomnl.exe
        134⤵
        
        PID:696

C:\Windows\SysWOW64\Bfhhho32.exe
C:\Windows\system32\Bfhhho32.exe
1⤵
PID:7728
- C:\Windows\SysWOW64\Chjaha32.exe
  C:\Windows\system32\Chjaha32.exe
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\Cenaaf32.exe
    C:\Windows\system32\Cenaaf32.exe
    3⤵
    PID:5644
  - - C:\Windows\SysWOW64\Chokcakp.exe
      C:\Windows\system32\Chokcakp.exe
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\Cdfkhb32.exe
        
        C:\Windows\system32\Cdfkhb32.exe
        5⤵
        
        PID:5352
      - C:\Windows\SysWOW64\Deehbe32.exe
        
        C:\Windows\system32\Deehbe32.exe
        6⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Delnbdao.exe
        
        C:\Windows\system32\Delnbdao.exe
        7⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Dkifkkpf.exe
        
        C:\Windows\system32\Dkifkkpf.exe
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Eolhlh32.exe
        
        C:\Windows\system32\Eolhlh32.exe
        9⤵
        
        PID:184
        
        C:\Windows\SysWOW64\Edhado32.exe
        
        C:\Windows\system32\Edhado32.exe
        10⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Eopbghnb.exe
        
        C:\Windows\system32\Eopbghnb.exe
        11⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Fkgbli32.exe
        
        C:\Windows\system32\Fkgbli32.exe
        12⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Fkiobhac.exe
        
        C:\Windows\system32\Fkiobhac.exe
        13⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Fdbdkn32.exe
        
        C:\Windows\system32\Fdbdkn32.exe
        14⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Foghhg32.exe
        
        C:\Windows\system32\Foghhg32.exe
        15⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Ggnlhgkg.exe
        
        C:\Windows\system32\Ggnlhgkg.exe
        16⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ghnibj32.exe
        
        C:\Windows\system32\Ghnibj32.exe
        17⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Gnkajapa.exe
        
        C:\Windows\system32\Gnkajapa.exe
        18⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Hkaoiemi.exe
        
        C:\Windows\system32\Hkaoiemi.exe
        19⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Hnagkp32.exe
        
        C:\Windows\system32\Hnagkp32.exe
        20⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Hhglhi32.exe
        
        C:\Windows\system32\Hhglhi32.exe
        21⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ikmnec32.exe
        
        C:\Windows\system32\Ikmnec32.exe
        22⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Igcojdhp.exe
        
        C:\Windows\system32\Igcojdhp.exe
        23⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Iickdgpb.exe
        
        C:\Windows\system32\Iickdgpb.exe
        24⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\Ifglmlol.exe
        
        C:\Windows\system32\Ifglmlol.exe
        25⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Jigdoglm.exe
        
        C:\Windows\system32\Jigdoglm.exe
        26⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jgmapcqe.exe
        
        C:\Windows\system32\Jgmapcqe.exe
        27⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jfnbnk32.exe
        
        C:\Windows\system32\Jfnbnk32.exe
        28⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jfbkijdo.exe
        
        C:\Windows\system32\Jfbkijdo.exe
        29⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kehhjfif.exe
        
        C:\Windows\system32\Kehhjfif.exe
        30⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kejepfgd.exe
        
        C:\Windows\system32\Kejepfgd.exe
        31⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Knbiil32.exe
        
        C:\Windows\system32\Knbiil32.exe
        32⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kpbfbo32.exe
        
        C:\Windows\system32\Kpbfbo32.exe
        33⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Kijjldkh.exe
        
        C:\Windows\system32\Kijjldkh.exe
        34⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kfnkeh32.exe
        
        C:\Windows\system32\Kfnkeh32.exe
        35⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Lbekjipe.exe
        
        C:\Windows\system32\Lbekjipe.exe
        36⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Lpilcnoo.exe
        
        C:\Windows\system32\Lpilcnoo.exe
        37⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Llpmhodc.exe
        
        C:\Windows\system32\Llpmhodc.exe
        38⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Lehaad32.exe
        
        C:\Windows\system32\Lehaad32.exe
        39⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Loqejjad.exe
        
        C:\Windows\system32\Loqejjad.exe
        40⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Locbpi32.exe
        
        C:\Windows\system32\Locbpi32.exe
        41⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Llgcin32.exe
        
        C:\Windows\system32\Llgcin32.exe
        42⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Mikcbb32.exe
        
        C:\Windows\system32\Mikcbb32.exe
        43⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Meadgc32.exe
        
        C:\Windows\system32\Meadgc32.exe
        44⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mfaqafjl.exe
        
        C:\Windows\system32\Mfaqafjl.exe
        45⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Molefh32.exe
        
        C:\Windows\system32\Molefh32.exe
        46⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Mbjnlfnn.exe
        
        C:\Windows\system32\Mbjnlfnn.exe
        47⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Mhgfdmle.exe
        
        C:\Windows\system32\Mhgfdmle.exe
        48⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Nekgna32.exe
        
        C:\Windows\system32\Nekgna32.exe
        49⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Nockfgao.exe
        
        C:\Windows\system32\Nockfgao.exe
        50⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Niipdpae.exe
        
        C:\Windows\system32\Niipdpae.exe
        51⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Niklip32.exe
        
        C:\Windows\system32\Niklip32.exe
        52⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Nohdaf32.exe
        
        C:\Windows\system32\Nohdaf32.exe
        53⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Nllekk32.exe
        
        C:\Windows\system32\Nllekk32.exe
        54⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Nedjdp32.exe
        
        C:\Windows\system32\Nedjdp32.exe
        55⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Oomnmfid.exe
        
        C:\Windows\system32\Oomnmfid.exe
        56⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Ohebek32.exe
        
        C:\Windows\system32\Ohebek32.exe
        57⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Oidopn32.exe
        
        C:\Windows\system32\Oidopn32.exe
        58⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Oghpib32.exe
        
        C:\Windows\system32\Oghpib32.exe
        59⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Oocdme32.exe
        
        C:\Windows\system32\Oocdme32.exe
        60⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Oofacdaj.exe
        
        C:\Windows\system32\Oofacdaj.exe
        61⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Pljalipc.exe
        
        C:\Windows\system32\Pljalipc.exe
        62⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Pebfen32.exe
        
        C:\Windows\system32\Pebfen32.exe
        63⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Phcogice.exe
        
        C:\Windows\system32\Phcogice.exe
        64⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Pjbkal32.exe
        
        C:\Windows\system32\Pjbkal32.exe
        65⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Pgfljqia.exe
        
        C:\Windows\system32\Pgfljqia.exe
        66⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Pcmloa32.exe
        
        C:\Windows\system32\Pcmloa32.exe
        67⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Qcpieamc.exe
        
        C:\Windows\system32\Qcpieamc.exe
        68⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Qofjjb32.exe
        
        C:\Windows\system32\Qofjjb32.exe
        69⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Aoifoa32.exe
        
        C:\Windows\system32\Aoifoa32.exe
        70⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ahakhg32.exe
        
        C:\Windows\system32\Ahakhg32.exe
        71⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ajqgbjoh.exe
        
        C:\Windows\system32\Ajqgbjoh.exe
        72⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Amaqde32.exe
        
        C:\Windows\system32\Amaqde32.exe
        73⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Aggean32.exe
        
        C:\Windows\system32\Aggean32.exe
        74⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Aqoijcbo.exe
        
        C:\Windows\system32\Aqoijcbo.exe
        75⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Bjgncihp.exe
        
        C:\Windows\system32\Bjgncihp.exe
        76⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Bgknlmgi.exe
        
        C:\Windows\system32\Bgknlmgi.exe
        77⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Bogcqpdd.exe
        
        C:\Windows\system32\Bogcqpdd.exe
        78⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Bcdlgnkk.exe
        
        C:\Windows\system32\Bcdlgnkk.exe
        79⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Bmmppc32.exe
        
        C:\Windows\system32\Bmmppc32.exe
        80⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Bmomecoi.exe
        
        C:\Windows\system32\Bmomecoi.exe
        81⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Cifmjd32.exe
        
        C:\Windows\system32\Cifmjd32.exe
        82⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cggnhlml.exe
        
        C:\Windows\system32\Cggnhlml.exe
        83⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ccnnmmbp.exe
        
        C:\Windows\system32\Ccnnmmbp.exe
        84⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Cpeobn32.exe
        
        C:\Windows\system32\Cpeobn32.exe
        85⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Cimckcoe.exe
        
        C:\Windows\system32\Cimckcoe.exe
        86⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Cgndikgd.exe
        
        C:\Windows\system32\Cgndikgd.exe
        87⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Dgqqnjea.exe
        
        C:\Windows\system32\Dgqqnjea.exe
        88⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Daiegp32.exe
        
        C:\Windows\system32\Daiegp32.exe
        89⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Dffmogji.exe
        
        C:\Windows\system32\Dffmogji.exe
        90⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Dfhjefhf.exe
        
        C:\Windows\system32\Dfhjefhf.exe
        91⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Dpqonl32.exe
        
        C:\Windows\system32\Dpqonl32.exe
        92⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Djfckenm.exe
        
        C:\Windows\system32\Djfckenm.exe
        93⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Dhjcdimf.exe
        
        C:\Windows\system32\Dhjcdimf.exe
        94⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Dmglmpkn.exe
        
        C:\Windows\system32\Dmglmpkn.exe
        95⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Eaddcnad.exe
        
        C:\Windows\system32\Eaddcnad.exe
        96⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Efamkepl.exe
        
        C:\Windows\system32\Efamkepl.exe
        97⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Edemdine.exe
        
        C:\Windows\system32\Edemdine.exe
        98⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Emnbmoef.exe
        
        C:\Windows\system32\Emnbmoef.exe
        99⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Empococc.exe
        
        C:\Windows\system32\Empococc.exe
        100⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Eigohp32.exe
        
        C:\Windows\system32\Eigohp32.exe
        101⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Fdlcehhn.exe
        
        C:\Windows\system32\Fdlcehhn.exe
        102⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Fhjlkg32.exe
        
        C:\Windows\system32\Fhjlkg32.exe
        103⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Fpeapilo.exe
        
        C:\Windows\system32\Fpeapilo.exe
        104⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Fineho32.exe
        
        C:\Windows\system32\Fineho32.exe
        105⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Fdcjfg32.exe
        
        C:\Windows\system32\Fdcjfg32.exe
        106⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Fagjolao.exe
        
        C:\Windows\system32\Fagjolao.exe
        107⤵
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Fmnkdm32.exe
        
        C:\Windows\system32\Fmnkdm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Ggfombmd.exe
        
        C:\Windows\system32\Ggfombmd.exe
        109⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Galcjkmj.exe
        
        C:\Windows\system32\Galcjkmj.exe
        110⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ganppk32.exe
        
        C:\Windows\system32\Ganppk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4124
        
        C:\Windows\SysWOW64\Gneaelqk.exe
        
        C:\Windows\system32\Gneaelqk.exe
        112⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Ghkebd32.exe
        
        C:\Windows\system32\Ghkebd32.exe
        113⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Gacjkjgb.exe
        
        C:\Windows\system32\Gacjkjgb.exe
        114⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Gnjjpk32.exe
        
        C:\Windows\system32\Gnjjpk32.exe
        115⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Hnlgekkc.exe
        
        C:\Windows\system32\Hnlgekkc.exe
        116⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Hkpgooim.exe
        
        C:\Windows\system32\Hkpgooim.exe
        117⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Hhdhhchf.exe
        
        C:\Windows\system32\Hhdhhchf.exe
        118⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Halmaiog.exe
        
        C:\Windows\system32\Halmaiog.exe
        119⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Hgieipmo.exe
        
        C:\Windows\system32\Hgieipmo.exe
        120⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Inejlibi.exe
        
        C:\Windows\system32\Inejlibi.exe
        121⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Ignndo32.exe
        
        C:\Windows\system32\Ignndo32.exe
        122⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Igpkjo32.exe
        
        C:\Windows\system32\Igpkjo32.exe
        123⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Iqipcd32.exe
        
        C:\Windows\system32\Iqipcd32.exe
        124⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ikndpm32.exe
        
        C:\Windows\system32\Ikndpm32.exe
        125⤵
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Idfhibdn.exe
        
        C:\Windows\system32\Idfhibdn.exe
        126⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ijcaaibe.exe
        
        C:\Windows\system32\Ijcaaibe.exe
        127⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Ihdaoajd.exe
        
        C:\Windows\system32\Ihdaoajd.exe
        128⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Jnaighhk.exe
        
        C:\Windows\system32\Jnaighhk.exe
        129⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Jhgneqha.exe
        
        C:\Windows\system32\Jhgneqha.exe
        130⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Jbobnf32.exe
        
        C:\Windows\system32\Jbobnf32.exe
        131⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Jglkfmmi.exe
        
        C:\Windows\system32\Jglkfmmi.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Jbaocfmo.exe
        
        C:\Windows\system32\Jbaocfmo.exe
        133⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Jkjclk32.exe
        
        C:\Windows\system32\Jkjclk32.exe
        134⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Majjgmco.exe
        
        C:\Windows\system32\Majjgmco.exe
        135⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Nlbkjf32.exe
        
        C:\Windows\system32\Nlbkjf32.exe
        136⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nhhlog32.exe
        
        C:\Windows\system32\Nhhlog32.exe
        137⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Nelmik32.exe
        
        C:\Windows\system32\Nelmik32.exe
        138⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Nacmnlkd.exe
        
        C:\Windows\system32\Nacmnlkd.exe
        139⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Nbcjhobg.exe
        
        C:\Windows\system32\Nbcjhobg.exe
        140⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Nhpbpepo.exe
        
        C:\Windows\system32\Nhpbpepo.exe
        141⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Oioojh32.exe
        
        C:\Windows\system32\Oioojh32.exe
        142⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Oejijiip.exe
        
        C:\Windows\system32\Oejijiip.exe
        143⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Okgabpgg.exe
        
        C:\Windows\system32\Okgabpgg.exe
        144⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Ohkbldfa.exe
        
        C:\Windows\system32\Ohkbldfa.exe
        145⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Peobeh32.exe
        
        C:\Windows\system32\Peobeh32.exe
        146⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Pafcjijo.exe
        
        C:\Windows\system32\Pafcjijo.exe
        147⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Pedlpgqe.exe
        
        C:\Windows\system32\Pedlpgqe.exe
        148⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Pakleh32.exe
        
        C:\Windows\system32\Pakleh32.exe
        149⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Poomom32.exe
        
        C:\Windows\system32\Poomom32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Pcmeek32.exe
        
        C:\Windows\system32\Pcmeek32.exe
        151⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Qocfjlan.exe
        
        C:\Windows\system32\Qocfjlan.exe
        152⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Qlggcp32.exe
        
        C:\Windows\system32\Qlggcp32.exe
        153⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Acaopjgd.exe
        
        C:\Windows\system32\Acaopjgd.exe
        154⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Ahnghafl.exe
        
        C:\Windows\system32\Ahnghafl.exe
        155⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Aaflag32.exe
        
        C:\Windows\system32\Aaflag32.exe
        156⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Afddge32.exe
        
        C:\Windows\system32\Afddge32.exe
        157⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Aomipkic.exe
        
        C:\Windows\system32\Aomipkic.exe
        158⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Akcjel32.exe
        
        C:\Windows\system32\Akcjel32.exe
        159⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ahgjnpna.exe
        
        C:\Windows\system32\Ahgjnpna.exe
        160⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\Blecdn32.exe
        
        C:\Windows\system32\Blecdn32.exe
        161⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Bjicnbba.exe
        
        C:\Windows\system32\Bjicnbba.exe
        162⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Bfpdcc32.exe
        
        C:\Windows\system32\Bfpdcc32.exe
        163⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Bhqmdoef.exe
        
        C:\Windows\system32\Bhqmdoef.exe
        164⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Bfenncdp.exe
        
        C:\Windows\system32\Bfenncdp.exe
        165⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Ccinggcj.exe
        
        C:\Windows\system32\Ccinggcj.exe
        166⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Ckdcli32.exe
        
        C:\Windows\system32\Ckdcli32.exe
        167⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Ccmgbf32.exe
        
        C:\Windows\system32\Ccmgbf32.exe
        168⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Cmflkl32.exe
        
        C:\Windows\system32\Cmflkl32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Cfnqdale.exe
        
        C:\Windows\system32\Cfnqdale.exe
        170⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Ckkilhjm.exe
        
        C:\Windows\system32\Ckkilhjm.exe
        171⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Cfqmjajc.exe
        
        C:\Windows\system32\Cfqmjajc.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7364
        
        C:\Windows\SysWOW64\Djnfppqi.exe
        
        C:\Windows\system32\Djnfppqi.exe
        173⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Dbikdbnd.exe
        
        C:\Windows\system32\Dbikdbnd.exe
        174⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Dcigneeg.exe
        
        C:\Windows\system32\Dcigneeg.exe
        175⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Dmakgj32.exe
        
        C:\Windows\system32\Dmakgj32.exe
        176⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Dfjpppbh.exe
        
        C:\Windows\system32\Dfjpppbh.exe
        177⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Dlfhhgpp.exe
        
        C:\Windows\system32\Dlfhhgpp.exe
        178⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ecpmod32.exe
        
        C:\Windows\system32\Ecpmod32.exe
        179⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ecefjckj.exe
        
        C:\Windows\system32\Ecefjckj.exe
        180⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Eidlhj32.exe
        
        C:\Windows\system32\Eidlhj32.exe
        181⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Eblpqono.exe
        
        C:\Windows\system32\Eblpqono.exe
        182⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Fldeie32.exe
        
        C:\Windows\system32\Fldeie32.exe
        183⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Fihecici.exe
        
        C:\Windows\system32\Fihecici.exe
        184⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Fdnipbbo.exe
        
        C:\Windows\system32\Fdnipbbo.exe
        185⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Fdqffaql.exe
        
        C:\Windows\system32\Fdqffaql.exe
        186⤵
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Fimonh32.exe
        
        C:\Windows\system32\Fimonh32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Fbecgned.exe
        
        C:\Windows\system32\Fbecgned.exe
        188⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Fdepaa32.exe
        
        C:\Windows\system32\Fdepaa32.exe
        189⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Gdglfqjd.exe
        
        C:\Windows\system32\Gdglfqjd.exe
        190⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Gideogil.exe
        
        C:\Windows\system32\Gideogil.exe
        191⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Gfhehlhe.exe
        
        C:\Windows\system32\Gfhehlhe.exe
        192⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Gkfnnjnl.exe
        
        C:\Windows\system32\Gkfnnjnl.exe
        193⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Ggmock32.exe
        
        C:\Windows\system32\Ggmock32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Gpeclq32.exe
        
        C:\Windows\system32\Gpeclq32.exe
        195⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Hkkgii32.exe
        
        C:\Windows\system32\Hkkgii32.exe
        196⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Hphpap32.exe
        
        C:\Windows\system32\Hphpap32.exe
        197⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Hipdjfoo.exe
        
        C:\Windows\system32\Hipdjfoo.exe
        198⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Hdehho32.exe
        
        C:\Windows\system32\Hdehho32.exe
        199⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Hibape32.exe
        
        C:\Windows\system32\Hibape32.exe
        200⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Hdhemn32.exe
        
        C:\Windows\system32\Hdhemn32.exe
        201⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Hmpjfdcb.exe
        
        C:\Windows\system32\Hmpjfdcb.exe
        202⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Hcmbnk32.exe
        
        C:\Windows\system32\Hcmbnk32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Hmbflc32.exe
        
        C:\Windows\system32\Hmbflc32.exe
        204⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Icoodj32.exe
        
        C:\Windows\system32\Icoodj32.exe
        205⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Idoknmfj.exe
        
        C:\Windows\system32\Idoknmfj.exe
        206⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Iildfd32.exe
        
        C:\Windows\system32\Iildfd32.exe
        207⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Idahcm32.exe
        
        C:\Windows\system32\Idahcm32.exe
        208⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Ijnqld32.exe
        
        C:\Windows\system32\Ijnqld32.exe
        209⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Icfediio.exe
        
        C:\Windows\system32\Icfediio.exe
        210⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Iloimopp.exe
        
        C:\Windows\system32\Iloimopp.exe
        211⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Ikpjkf32.exe
        
        C:\Windows\system32\Ikpjkf32.exe
        212⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Jggjpgmc.exe
        
        C:\Windows\system32\Jggjpgmc.exe
        213⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Jcmkehcg.exe
        
        C:\Windows\system32\Jcmkehcg.exe
        214⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Jlfpnn32.exe
        
        C:\Windows\system32\Jlfpnn32.exe
        215⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Jjjpgb32.exe
        
        C:\Windows\system32\Jjjpgb32.exe
        216⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Jdodekhg.exe
        
        C:\Windows\system32\Jdodekhg.exe
        217⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Jnhinq32.exe
        
        C:\Windows\system32\Jnhinq32.exe
        218⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Jnjecp32.exe
        
        C:\Windows\system32\Jnjecp32.exe
        219⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Kgbjlf32.exe
        
        C:\Windows\system32\Kgbjlf32.exe
        220⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Kcikagij.exe
        
        C:\Windows\system32\Kcikagij.exe
        221⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Kmaojl32.exe
        
        C:\Windows\system32\Kmaojl32.exe
        222⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Kjepcqnd.exe
        
        C:\Windows\system32\Kjepcqnd.exe
        223⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Lcjchd32.exe
        
        C:\Windows\system32\Lcjchd32.exe
        224⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Lclpmdhd.exe
        
        C:\Windows\system32\Lclpmdhd.exe
        225⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mqpqghgn.exe
        
        C:\Windows\system32\Mqpqghgn.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7876
        
        C:\Windows\SysWOW64\Mglfibmh.exe
        
        C:\Windows\system32\Mglfibmh.exe
        227⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Mgoboake.exe
        
        C:\Windows\system32\Mgoboake.exe
        228⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Mebchf32.exe
        
        C:\Windows\system32\Mebchf32.exe
        229⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Mchpibng.exe
        
        C:\Windows\system32\Mchpibng.exe
        230⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Nnmdfknm.exe
        
        C:\Windows\system32\Nnmdfknm.exe
        231⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Ngehoqdn.exe
        
        C:\Windows\system32\Ngehoqdn.exe
        232⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Nlcaeo32.exe
        
        C:\Windows\system32\Nlcaeo32.exe
        233⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Nmgjbg32.exe
        
        C:\Windows\system32\Nmgjbg32.exe
        234⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Nmighf32.exe
        
        C:\Windows\system32\Nmighf32.exe
        235⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Nljgfn32.exe
        
        C:\Windows\system32\Nljgfn32.exe
        236⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Ojpdgjid.exe
        
        C:\Windows\system32\Ojpdgjid.exe
        237⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Oloaamqf.exe
        
        C:\Windows\system32\Oloaamqf.exe
        238⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Ohfafn32.exe
        
        C:\Windows\system32\Ohfafn32.exe
        239⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Oeloebcb.exe
        
        C:\Windows\system32\Oeloebcb.exe
        240⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Pkigmiai.exe
        
        C:\Windows\system32\Pkigmiai.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Pdalfo32.exe
        
        C:\Windows\system32\Pdalfo32.exe
        242⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Paelpcgc.exe
        
        C:\Windows\system32\Paelpcgc.exe
        243⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Phodlm32.exe
        
        C:\Windows\system32\Phodlm32.exe
        244⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Pecefa32.exe
        
        C:\Windows\system32\Pecefa32.exe
        245⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Poliog32.exe
        
        C:\Windows\system32\Poliog32.exe
        246⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Phdngljk.exe
        
        C:\Windows\system32\Phdngljk.exe
        247⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Palbpb32.exe
        
        C:\Windows\system32\Palbpb32.exe
        248⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Qopbjf32.exe
        
        C:\Windows\system32\Qopbjf32.exe
        249⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Qldccjno.exe
        
        C:\Windows\system32\Qldccjno.exe
        250⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Akipdg32.exe
        
        C:\Windows\system32\Akipdg32.exe
        251⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Alimnj32.exe
        
        C:\Windows\system32\Alimnj32.exe
        252⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Akniofoa.exe
        
        C:\Windows\system32\Akniofoa.exe
        253⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ahbjij32.exe
        
        C:\Windows\system32\Ahbjij32.exe
        254⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Aajoapdk.exe
        
        C:\Windows\system32\Aajoapdk.exe
        255⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Aamkgpbi.exe
        
        C:\Windows\system32\Aamkgpbi.exe
        256⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Boqlqd32.exe
        
        C:\Windows\system32\Boqlqd32.exe
        257⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Bhipiihc.exe
        
        C:\Windows\system32\Bhipiihc.exe
        258⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Baadbo32.exe
        
        C:\Windows\system32\Baadbo32.exe
        259⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Boeelcmm.exe
        
        C:\Windows\system32\Boeelcmm.exe
        260⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Blieeglf.exe
        
        C:\Windows\system32\Blieeglf.exe
        261⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Bhpfjh32.exe
        
        C:\Windows\system32\Bhpfjh32.exe
        262⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Bnmobopb.exe
        
        C:\Windows\system32\Bnmobopb.exe
        263⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ckaolcol.exe
        
        C:\Windows\system32\Ckaolcol.exe
        264⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Cffcilob.exe
        
        C:\Windows\system32\Cffcilob.exe
        265⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Ckclacmi.exe
        
        C:\Windows\system32\Ckclacmi.exe
        266⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Chglkg32.exe
        
        C:\Windows\system32\Chglkg32.exe
        267⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Cndecn32.exe
        
        C:\Windows\system32\Cndecn32.exe
        268⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Chiipg32.exe
        
        C:\Windows\system32\Chiipg32.exe
        269⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Cbbnim32.exe
        
        C:\Windows\system32\Cbbnim32.exe
        270⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Clgbfe32.exe
        
        C:\Windows\system32\Clgbfe32.exe
        271⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Ddbfkh32.exe
        
        C:\Windows\system32\Ddbfkh32.exe
        272⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Dnkkcmdb.exe
        
        C:\Windows\system32\Dnkkcmdb.exe
        273⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Ennqpkcm.exe
        
        C:\Windows\system32\Ennqpkcm.exe
        274⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Felbhdgd.exe
        
        C:\Windows\system32\Felbhdgd.exe
        275⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Fbellhbi.exe
        
        C:\Windows\system32\Fbellhbi.exe
        276⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Fmjqjqao.exe
        
        C:\Windows\system32\Fmjqjqao.exe
        277⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Gefencoj.exe
        
        C:\Windows\system32\Gefencoj.exe
        278⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Gnnjgh32.exe
        
        C:\Windows\system32\Gnnjgh32.exe
        279⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Gmojep32.exe
        
        C:\Windows\system32\Gmojep32.exe
        280⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Gfgnnedj.exe
        
        C:\Windows\system32\Gfgnnedj.exe
        281⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Gldgflba.exe
        
        C:\Windows\system32\Gldgflba.exe
        282⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Gfjkce32.exe
        
        C:\Windows\system32\Gfjkce32.exe
        283⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Iiipfnch.exe
        
        C:\Windows\system32\Iiipfnch.exe
        284⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Iepako32.exe
        
        C:\Windows\system32\Iepako32.exe
        285⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Iohede32.exe
        
        C:\Windows\system32\Iohede32.exe
        286⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Iimjan32.exe
        
        C:\Windows\system32\Iimjan32.exe
        287⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Icfnjcec.exe
        
        C:\Windows\system32\Icfnjcec.exe
        288⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Ilnbch32.exe
        
        C:\Windows\system32\Ilnbch32.exe
        289⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Iibclmkn.exe
        
        C:\Windows\system32\Iibclmkn.exe
        290⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Jmplbk32.exe
        
        C:\Windows\system32\Jmplbk32.exe
        291⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Jngbcj32.exe
        
        C:\Windows\system32\Jngbcj32.exe
        292⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Jebfgl32.exe
        
        C:\Windows\system32\Jebfgl32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Kokkqbog.exe
        
        C:\Windows\system32\Kokkqbog.exe
        294⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Komhfa32.exe
        
        C:\Windows\system32\Komhfa32.exe
        295⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Kjblcj32.exe
        
        C:\Windows\system32\Kjblcj32.exe
        296⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Kgflmo32.exe
        
        C:\Windows\system32\Kgflmo32.exe
        297⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Koaaaaip.exe
        
        C:\Windows\system32\Koaaaaip.exe
        298⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Kodnfqgm.exe
        
        C:\Windows\system32\Kodnfqgm.exe
        299⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Ljibdifc.exe
        
        C:\Windows\system32\Ljibdifc.exe
        300⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Lcbfmomc.exe
        
        C:\Windows\system32\Lcbfmomc.exe
        301⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Lqfgfclm.exe
        
        C:\Windows\system32\Lqfgfclm.exe
        302⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Lfbpnjjd.exe
        
        C:\Windows\system32\Lfbpnjjd.exe
        303⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Lokdgpqe.exe
        
        C:\Windows\system32\Lokdgpqe.exe
        304⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lnldeg32.exe
        
        C:\Windows\system32\Lnldeg32.exe
        305⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Lfgiii32.exe
        
        C:\Windows\system32\Lfgiii32.exe
        306⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Mnanpfdo.exe
        
        C:\Windows\system32\Mnanpfdo.exe
        307⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Mncjffbl.exe
        
        C:\Windows\system32\Mncjffbl.exe
        308⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Mnegkf32.exe
        
        C:\Windows\system32\Mnegkf32.exe
        309⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mgnldkgj.exe
        
        C:\Windows\system32\Mgnldkgj.exe
        310⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Moiphnde.exe
        
        C:\Windows\system32\Moiphnde.exe
        311⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Mokmnm32.exe
        
        C:\Windows\system32\Mokmnm32.exe
        312⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Nnmmleja.exe
        
        C:\Windows\system32\Nnmmleja.exe
        313⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Njcnafpe.exe
        
        C:\Windows\system32\Njcnafpe.exe
        314⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nnafgd32.exe
        
        C:\Windows\system32\Nnafgd32.exe
        315⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Njhglelp.exe
        
        C:\Windows\system32\Njhglelp.exe
        316⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Nglhei32.exe
        
        C:\Windows\system32\Nglhei32.exe
        317⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Ogndki32.exe
        
        C:\Windows\system32\Ogndki32.exe
        318⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Ojommdfh.exe
        
        C:\Windows\system32\Ojommdfh.exe
        319⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Ogcnfheb.exe
        
        C:\Windows\system32\Ogcnfheb.exe
        320⤵
        Drops file in System32 directory
        
        PID:7612
        
        C:\Windows\SysWOW64\Opnbjk32.exe
        
        C:\Windows\system32\Opnbjk32.exe
        321⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ombcdo32.exe
        
        C:\Windows\system32\Ombcdo32.exe
        322⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Pfmdbd32.exe
        
        C:\Windows\system32\Pfmdbd32.exe
        323⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ppeikjle.exe
        
        C:\Windows\system32\Ppeikjle.exe
        324⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Pnfiia32.exe
        
        C:\Windows\system32\Pnfiia32.exe
        325⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Phombg32.exe
        
        C:\Windows\system32\Phombg32.exe
        326⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Pfdjccol.exe
        
        C:\Windows\system32\Pfdjccol.exe
        327⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Pmpoemef.exe
        
        C:\Windows\system32\Pmpoemef.exe
        328⤵
        
        PID:184
        
        C:\Windows\SysWOW64\Qjdpoacp.exe
        
        C:\Windows\system32\Qjdpoacp.exe
        329⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Qdldgg32.exe
        
        C:\Windows\system32\Qdldgg32.exe
        330⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Apcemh32.exe
        
        C:\Windows\system32\Apcemh32.exe
        331⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Akiijq32.exe
        
        C:\Windows\system32\Akiijq32.exe
        332⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Adanbffk.exe
        
        C:\Windows\system32\Adanbffk.exe
        333⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Amibklml.exe
        
        C:\Windows\system32\Amibklml.exe
        334⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Apjkmgjm.exe
        
        C:\Windows\system32\Apjkmgjm.exe
        335⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Aokkknbl.exe
        
        C:\Windows\system32\Aokkknbl.exe
        336⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Ahdpdd32.exe
        
        C:\Windows\system32\Ahdpdd32.exe
        337⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bhfmic32.exe
        
        C:\Windows\system32\Bhfmic32.exe
        338⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Bdmmnd32.exe
        
        C:\Windows\system32\Bdmmnd32.exe
        339⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Bmeagjbo.exe
        
        C:\Windows\system32\Bmeagjbo.exe
        340⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Bgnfpp32.exe
        
        C:\Windows\system32\Bgnfpp32.exe
        341⤵
        
        PID:5988

C:\Windows\SysWOW64\Bdagidhi.exe
C:\Windows\system32\Bdagidhi.exe
1⤵
PID:5392
- C:\Windows\SysWOW64\Baegchgb.exe
  C:\Windows\system32\Baegchgb.exe
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\Cnlhhi32.exe
    C:\Windows\system32\Cnlhhi32.exe
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\Coldbl32.exe
      C:\Windows\system32\Coldbl32.exe
      4⤵
      PID:3780
    - - C:\Windows\SysWOW64\Cdhmjc32.exe
        
        C:\Windows\system32\Cdhmjc32.exe
        5⤵
        
        PID:2716
      - C:\Windows\SysWOW64\Conagl32.exe
        
        C:\Windows\system32\Conagl32.exe
        6⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Ckealm32.exe
        
        C:\Windows\system32\Ckealm32.exe
        7⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Cglbanmo.exe
        
        C:\Windows\system32\Cglbanmo.exe
        8⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Cdpckbli.exe
        
        C:\Windows\system32\Cdpckbli.exe
        9⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Doeghk32.exe
        
        C:\Windows\system32\Doeghk32.exe
        10⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Dhnlapbo.exe
        
        C:\Windows\system32\Dhnlapbo.exe
        11⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Dqipeboj.exe
        
        C:\Windows\system32\Dqipeboj.exe
        12⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Dahmoefm.exe
        
        C:\Windows\system32\Dahmoefm.exe
        13⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Dqmjqb32.exe
        
        C:\Windows\system32\Dqmjqb32.exe
        14⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Dhgogojd.exe
        
        C:\Windows\system32\Dhgogojd.exe
        15⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Ebocpd32.exe
        
        C:\Windows\system32\Ebocpd32.exe
        16⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Eoccii32.exe
        
        C:\Windows\system32\Eoccii32.exe
        17⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ehlhbn32.exe
        
        C:\Windows\system32\Ehlhbn32.exe
        18⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Eqgmgq32.exe
        
        C:\Windows\system32\Eqgmgq32.exe
        19⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Eqiilp32.exe
        
        C:\Windows\system32\Eqiilp32.exe
        20⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Edgbbo32.exe
        
        C:\Windows\system32\Edgbbo32.exe
        21⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Foocegea.exe
        
        C:\Windows\system32\Foocegea.exe
        22⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Figgnm32.exe
        
        C:\Windows\system32\Figgnm32.exe
        23⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Hijmjj32.exe
        
        C:\Windows\system32\Hijmjj32.exe
        24⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Hngebq32.exe
        
        C:\Windows\system32\Hngebq32.exe
        25⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Hlkfle32.exe
        
        C:\Windows\system32\Hlkfle32.exe
        26⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Hlmbadfk.exe
        
        C:\Windows\system32\Hlmbadfk.exe
        27⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Hiackied.exe
        
        C:\Windows\system32\Hiackied.exe
        28⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Halhpkbp.exe
        
        C:\Windows\system32\Halhpkbp.exe
        29⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Hpmhmbko.exe
        
        C:\Windows\system32\Hpmhmbko.exe
        30⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Iejqeiif.exe
        
        C:\Windows\system32\Iejqeiif.exe
        31⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ihkigd32.exe
        
        C:\Windows\system32\Ihkigd32.exe
        32⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ibqndm32.exe
        
        C:\Windows\system32\Ibqndm32.exe
        33⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Iimcgg32.exe
        
        C:\Windows\system32\Iimcgg32.exe
        34⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ioikon32.exe
        
        C:\Windows\system32\Ioikon32.exe
        35⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Ilnlhb32.exe
        
        C:\Windows\system32\Ilnlhb32.exe
        36⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Jialbf32.exe
        
        C:\Windows\system32\Jialbf32.exe
        37⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Jehmgg32.exe
        
        C:\Windows\system32\Jehmgg32.exe
        38⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jifemfcl.exe
        
        C:\Windows\system32\Jifemfcl.exe
        39⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Jlgooa32.exe
        
        C:\Windows\system32\Jlgooa32.exe
        40⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Jpegeo32.exe
        
        C:\Windows\system32\Jpegeo32.exe
        41⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Klndopje.exe
        
        C:\Windows\system32\Klndopje.exe
        42⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Kibeid32.exe
        
        C:\Windows\system32\Kibeid32.exe
        43⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Keifneoc.exe
        
        C:\Windows\system32\Keifneoc.exe
        44⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Koajfk32.exe
        
        C:\Windows\system32\Koajfk32.exe
        45⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Klekpodn.exe
        
        C:\Windows\system32\Klekpodn.exe
        46⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Liikiccg.exe
        
        C:\Windows\system32\Liikiccg.exe
        47⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Lcapbi32.exe
        
        C:\Windows\system32\Lcapbi32.exe
        48⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Lljdkn32.exe
        
        C:\Windows\system32\Lljdkn32.exe
        49⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lebiddfi.exe
        
        C:\Windows\system32\Lebiddfi.exe
        50⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Lpgmamfo.exe
        
        C:\Windows\system32\Lpgmamfo.exe
        51⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ljpajbmo.exe
        
        C:\Windows\system32\Ljpajbmo.exe
        52⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Lfgboc32.exe
        
        C:\Windows\system32\Lfgboc32.exe
        53⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Mckbhg32.exe
        
        C:\Windows\system32\Mckbhg32.exe
        54⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Mlcgam32.exe
        
        C:\Windows\system32\Mlcgam32.exe
        55⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Mjggka32.exe
        
        C:\Windows\system32\Mjggka32.exe
        56⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Mqclmk32.exe
        
        C:\Windows\system32\Mqclmk32.exe
        57⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Mfpeeb32.exe
        
        C:\Windows\system32\Mfpeeb32.exe
        58⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Mbgejcpm.exe
        
        C:\Windows\system32\Mbgejcpm.exe
        59⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Nlljglpc.exe
        
        C:\Windows\system32\Nlljglpc.exe
        60⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Njpjap32.exe
        
        C:\Windows\system32\Njpjap32.exe
        61⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Nmacbk32.exe
        
        C:\Windows\system32\Nmacbk32.exe
        62⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Nqolii32.exe
        
        C:\Windows\system32\Nqolii32.exe
        63⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Nqaini32.exe
        
        C:\Windows\system32\Nqaini32.exe
        64⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Oqcedino.exe
        
        C:\Windows\system32\Oqcedino.exe
        65⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Ofqnlplf.exe
        
        C:\Windows\system32\Ofqnlplf.exe
        66⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ooibee32.exe
        
        C:\Windows\system32\Ooibee32.exe
        67⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Oiagnk32.exe
        
        C:\Windows\system32\Oiagnk32.exe
        68⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Ocihqc32.exe
        
        C:\Windows\system32\Ocihqc32.exe
        69⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Pfojmn32.exe
        
        C:\Windows\system32\Pfojmn32.exe
        70⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ppgofcff.exe
        
        C:\Windows\system32\Ppgofcff.exe
        71⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Pafkpfni.exe
        
        C:\Windows\system32\Pafkpfni.exe
        72⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Pmmleg32.exe
        
        C:\Windows\system32\Pmmleg32.exe
        73⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Qfepnmjn.exe
        
        C:\Windows\system32\Qfepnmjn.exe
        74⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Qfhmcl32.exe
        
        C:\Windows\system32\Qfhmcl32.exe
        75⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Aiifeg32.exe
        
        C:\Windows\system32\Aiifeg32.exe
        76⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Ajhboj32.exe
        
        C:\Windows\system32\Ajhboj32.exe
        77⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Adqghpbp.exe
        
        C:\Windows\system32\Adqghpbp.exe
        78⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Aimoqgqg.exe
        
        C:\Windows\system32\Aimoqgqg.exe
        79⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 408
        80⤵
        Program crash
        
        PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7008 -ip 7008
1⤵
PID:6324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijeme32.exe

Filesize
1.9MB

MD5
f5ece664a3e2244e70dfa48f4ac02370

SHA1
7362964ecd24600d445d7efe151833a02e5fc974

SHA256
b2c9ebb3403ba21684b59d6d8606dea9bcfbf5ea731913531cb1a7d9046356d2

SHA512
c98f2a4a3b04ca3e740cd3f96ce4afb3382f80f61fe2129cdbe2ac03f2d08198b5805d2fa60af304bb9b639c8f431d2d923c06cbf19d752ea7808e0a7e756f7b

Download Submit
C:\Windows\SysWOW64\Aijeme32.exe

Filesize
1.9MB

MD5
f5ece664a3e2244e70dfa48f4ac02370

SHA1
7362964ecd24600d445d7efe151833a02e5fc974

SHA256
b2c9ebb3403ba21684b59d6d8606dea9bcfbf5ea731913531cb1a7d9046356d2

SHA512
c98f2a4a3b04ca3e740cd3f96ce4afb3382f80f61fe2129cdbe2ac03f2d08198b5805d2fa60af304bb9b639c8f431d2d923c06cbf19d752ea7808e0a7e756f7b

Download Submit
C:\Windows\SysWOW64\Anjpeelk.exe

Filesize
1.9MB

MD5
75b6b0271f8667da9c87e2ff10112558

SHA1
224eb4ea23c86268a4cbff1686e486eff4ebe24d

SHA256
0a02334ac97390af4b2b5f2a9e5abdeb8068dc3b2b33d2d8d73941084b03c9c9

SHA512
c75726c8c541b64be6d381cfa24c062c9e94d92a132b7285a5b6d65aec802e65a06549893593239869c5c1f2e9ac1d176043e59dbda255351d8a3237533a3232

Download Submit
C:\Windows\SysWOW64\Anjpeelk.exe

Filesize
1.9MB

MD5
75b6b0271f8667da9c87e2ff10112558

SHA1
224eb4ea23c86268a4cbff1686e486eff4ebe24d

SHA256
0a02334ac97390af4b2b5f2a9e5abdeb8068dc3b2b33d2d8d73941084b03c9c9

SHA512
c75726c8c541b64be6d381cfa24c062c9e94d92a132b7285a5b6d65aec802e65a06549893593239869c5c1f2e9ac1d176043e59dbda255351d8a3237533a3232

Download Submit
C:\Windows\SysWOW64\Bbbblhnc.exe

Filesize
1.9MB

MD5
f5ece664a3e2244e70dfa48f4ac02370

SHA1
7362964ecd24600d445d7efe151833a02e5fc974

SHA256
b2c9ebb3403ba21684b59d6d8606dea9bcfbf5ea731913531cb1a7d9046356d2

SHA512
c98f2a4a3b04ca3e740cd3f96ce4afb3382f80f61fe2129cdbe2ac03f2d08198b5805d2fa60af304bb9b639c8f431d2d923c06cbf19d752ea7808e0a7e756f7b

Download Submit
C:\Windows\SysWOW64\Bbbblhnc.exe

Filesize
1.9MB

MD5
091d5808eb7b5f42ba369c79530d77e0

SHA1
9ea97d02fe15ef71be16b67a4c36087238c3afe3

SHA256
b796a166428ccd4afa877e917e3da05da0e6c3bbace5d599e7b14db74c8c8e0e

SHA512
476dbabfa7c3ce37dcd9399acb6d182304ed7756f8bc42472f46affcfa0264cb3e343ba3f7d85251363c705f14a1db05c4ac89081e685d46ad1ffff35eb5d747

Download Submit
C:\Windows\SysWOW64\Bbbblhnc.exe

Filesize
1.9MB

MD5
091d5808eb7b5f42ba369c79530d77e0

SHA1
9ea97d02fe15ef71be16b67a4c36087238c3afe3

SHA256
b796a166428ccd4afa877e917e3da05da0e6c3bbace5d599e7b14db74c8c8e0e

SHA512
476dbabfa7c3ce37dcd9399acb6d182304ed7756f8bc42472f46affcfa0264cb3e343ba3f7d85251363c705f14a1db05c4ac89081e685d46ad1ffff35eb5d747

Download Submit
C:\Windows\SysWOW64\Bjielh32.exe

Filesize
1.9MB

MD5
a33c6bd4d900bed89921877abf8add79

SHA1
1460c6fedc4e32445ff5c2e1344a726be93c6b51

SHA256
a2d31075c06e843297f74197ce8abdea18692579b946fa38733aae04370bbe38

SHA512
f5470d3dfef63da7d70bc9eb75bdc9e2acfc0b8655f09bf81f6ba920e4eb8407f95fda0ed561dc4311efd9c0e7b4e9cfc779ec13f7aa17bb1977b19e2cf09f7e

Download Submit
C:\Windows\SysWOW64\Bkhceh32.exe

Filesize
1.9MB

MD5
7d5d1ffe3452384b082b4c0f8c1a9156

SHA1
88c297c4f16e6925f406dd3e1f74b8010523bd43

SHA256
08cd7806a943948f23e8442b144f34e24febf75412e5cff2a160453d809a424e

SHA512
c42a05c96d276fae014a22e8455d6177d9bba1f3e08ba1fb21e29f5d09d186a4bdcf3625a21ae76d7cdfed25c95e6158aebfe4d4926928efc8296bdb61edb88f

Download Submit
C:\Windows\SysWOW64\Bkhceh32.exe

Filesize
1.9MB

MD5
7d5d1ffe3452384b082b4c0f8c1a9156

SHA1
88c297c4f16e6925f406dd3e1f74b8010523bd43

SHA256
08cd7806a943948f23e8442b144f34e24febf75412e5cff2a160453d809a424e

SHA512
c42a05c96d276fae014a22e8455d6177d9bba1f3e08ba1fb21e29f5d09d186a4bdcf3625a21ae76d7cdfed25c95e6158aebfe4d4926928efc8296bdb61edb88f

Download Submit
C:\Windows\SysWOW64\Bnobfn32.exe

Filesize
1.9MB

MD5
c63ab2fe34bb86e1bd866468dc4ee195

SHA1
b04138230cc93234810f05505b6eecfec5fecad4

SHA256
7905101cc8d82e999b4d5f26933b43e9da8324c100f029fff012a369a06eca11

SHA512
44aa4bbb94a012e9c7863f40eab77e157cf1769080183662ef953f092d243d5bb1f2ea1900b8c7ed9a2c94edd677222d060785d1f3cf206da4bb1496a99c7d96

Download Submit
C:\Windows\SysWOW64\Cddemi32.exe

Filesize
1.9MB

MD5
8331317dbc600bfc09ca6f23e7b58bbf

SHA1
acec2efc01fb6bd73de687d83c3b9270006cbc85

SHA256
58ad6d85a88fd7279b215e324fe46e0f1ecefdb3553c4ce1341923ef75dafa4c

SHA512
6390f3ec5c9a8ce433a980e1563413de4ca7b9f140e4a1dd22bcd1459394aa942aa5f65754f3dbd891ec859f0717faa5f22db0b4f59d54f6c884c17ed6152aaf

Download Submit
C:\Windows\SysWOW64\Ciqmjkno.exe

Filesize
1.9MB

MD5
fca1fce5f8f415191a10b7e62423253a

SHA1
01a6a3f68d0edb37f34cc4c6deb3c87c2b96a957

SHA256
777f7118ebf986d1b1f27d348c032713dae25fe91f127eca70b8998dd037421e

SHA512
4b0a839fadff5f9b06ba3cb9cbf3e050f15323a71514a6d6e87efdfb9408dd236ed0e9e83eb849da123735fcb9ca7d13b6976e1254f22a046163a58e736df3ab

Download Submit
C:\Windows\SysWOW64\Ciqmjkno.exe

Filesize
1.9MB

MD5
fca1fce5f8f415191a10b7e62423253a

SHA1
01a6a3f68d0edb37f34cc4c6deb3c87c2b96a957

SHA256
777f7118ebf986d1b1f27d348c032713dae25fe91f127eca70b8998dd037421e

SHA512
4b0a839fadff5f9b06ba3cb9cbf3e050f15323a71514a6d6e87efdfb9408dd236ed0e9e83eb849da123735fcb9ca7d13b6976e1254f22a046163a58e736df3ab

Download Submit
C:\Windows\SysWOW64\Dfnbbg32.exe

Filesize
1.9MB

MD5
35dbe66ecd5a9b2fdae09e40628a6dfd

SHA1
beaf39d435fba2b726e40c8133e04fa0d4a6f4ca

SHA256
0c0caca5016f4ca334367839717ab9040b2b54ac8032a0221dbef3010a473e9c

SHA512
b77f66f308f6c775de2b42422b6d405d65626cfd1de553059ad3a933a2bea9b5d9a195d2b11884dbd9ce577951f2c41f79789c71e9ca9f88470427f598ae84ac

Download Submit
C:\Windows\SysWOW64\Dlicflic.exe

Filesize
1.9MB

MD5
4abe59f67b677e45c7cf744c180c5f5e

SHA1
d36893eb83a021df401ba1af2949df267fca4fc5

SHA256
5cd4690f73716099e3926f159e7d117fa75b6597db1b3e76bfe29479f3051d82

SHA512
9bcb46f08a83286046662ea069422fc96ae4e450525b665afcee314fa5d2df2bb8fcd1191a3d223eccaf1529b837b91f6e1ba663be68e700d5657c1ab00c77d8

Download Submit
C:\Windows\SysWOW64\Dlicflic.exe

Filesize
1.9MB

MD5
4abe59f67b677e45c7cf744c180c5f5e

SHA1
d36893eb83a021df401ba1af2949df267fca4fc5

SHA256
5cd4690f73716099e3926f159e7d117fa75b6597db1b3e76bfe29479f3051d82

SHA512
9bcb46f08a83286046662ea069422fc96ae4e450525b665afcee314fa5d2df2bb8fcd1191a3d223eccaf1529b837b91f6e1ba663be68e700d5657c1ab00c77d8

Download Submit
C:\Windows\SysWOW64\Dlobmd32.exe

Filesize
1.9MB

MD5
0d581c3df44229e327c0c7de786e2c55

SHA1
b1b8f62efc7f5af325356e0da93876d9a1c98fa5

SHA256
bc3e9f6405de13955974080ee29fb5565fe49242cf732a6bcf34825134cbfab3

SHA512
3e672d5b8d15d87d82550e5d44a59ef9bde33dd2f8314dadec54525d42905117c114b3415307b904f1f4d95f57244c22a12e2714b2dbdae6af642c49c7cfab2d

Download Submit
C:\Windows\SysWOW64\Dlobmd32.exe

Filesize
1.9MB

MD5
0d581c3df44229e327c0c7de786e2c55

SHA1
b1b8f62efc7f5af325356e0da93876d9a1c98fa5

SHA256
bc3e9f6405de13955974080ee29fb5565fe49242cf732a6bcf34825134cbfab3

SHA512
3e672d5b8d15d87d82550e5d44a59ef9bde33dd2f8314dadec54525d42905117c114b3415307b904f1f4d95f57244c22a12e2714b2dbdae6af642c49c7cfab2d

Download Submit
C:\Windows\SysWOW64\Dmknog32.exe

Filesize
1.9MB

MD5
53c08f1abb030c81cb830cd3202b0d50

SHA1
abcfa406dd8c3bd00471a47e5714ce415a4feb81

SHA256
13d3fcffcde11fb49d1d52edf2c508d08ba68ba0f0f810cee79f46542c20ee77

SHA512
a779ffb4671f21e67067ad9003a0d5ce80c83473dfea13f5bc3a153a450b8a8073e56346d7c11e65de81fe5d1c19d3fab1a6566ae8dc36a6e9448ff16dda99ad

Download Submit
C:\Windows\SysWOW64\Dmmdjp32.exe

Filesize
1.9MB

MD5
e7ea5a80a94b7408f6e333f4bb02d0b4

SHA1
c8434348450243044e2fd5450a0302e48b9e2708

SHA256
8dbb1a223aac61416cc4444b70d16d197e73ac6d86f9395583bcaa30a0b71ebb

SHA512
358c5b3c4bab1ee6a0aa1ad13f3a2e9fad5a7084d302fe8a650b992f7ab7ccc000f3d906ddc81c065b9ede6e94df79e35a67cdf6ef6062de6d7e9da6f314cd0c

Download Submit
C:\Windows\SysWOW64\Dmnkdfce.exe

Filesize
1.9MB

MD5
c589516f4481c3b6ec28d55dc95afc5a

SHA1
09864610077ba5229cb8a8dbc49e98b02d609a9c

SHA256
32d30c39e8505a21e562971f0b4f380fd4f6577d79b86b1797096b72aedaf210

SHA512
9a7717407a27a1ef02d17a727a1c8b7d49cdd90b0409e8840217b491fca9d54dde004e2b58fba568be115defc315c69b8d208e7892d363099c19e50c473db78a

Download Submit
C:\Windows\SysWOW64\Ecafgo32.exe

Filesize
1.9MB

MD5
2af155031a1a1b422e837800b052eac8

SHA1
3be4b5d1a84c4be0f54b16709fd81759bfa098a4

SHA256
e208d1500d769062f15d039f2212e86f4981249d43f841452ba53d1faa60a563

SHA512
2b701bc83c69aa9f64d89026c115dccb471297a352335730b6c1bd13e28a2a5ba8b2a4fe4b16b8df12a87854b88188ac14ffb951ef00553b198f498fa88495ea

Download Submit
C:\Windows\SysWOW64\Efjbne32.exe

Filesize
1.9MB

MD5
d6defd31d32accb8679acd6aa12e1504

SHA1
407c1d58bca568769518002df429c947279f564a

SHA256
4b8ef4471b1c1cd2e2e3344443e8021b5df7c4a255264963bf84b0a42cba8546

SHA512
db5b59642a66a67377030c38c8a9f86c93df92a463d2597366535cdd83c44eb66b566ff7066ab4b6fb02e05e6c6d4a21231eb2fc61ad3802f93069a3e65faa57

Download Submit
C:\Windows\SysWOW64\Ejkenpnp.exe

Filesize
1.9MB

MD5
0d581c3df44229e327c0c7de786e2c55

SHA1
b1b8f62efc7f5af325356e0da93876d9a1c98fa5

SHA256
bc3e9f6405de13955974080ee29fb5565fe49242cf732a6bcf34825134cbfab3

SHA512
3e672d5b8d15d87d82550e5d44a59ef9bde33dd2f8314dadec54525d42905117c114b3415307b904f1f4d95f57244c22a12e2714b2dbdae6af642c49c7cfab2d

Download Submit
C:\Windows\SysWOW64\Ejkenpnp.exe

Filesize
1.9MB

MD5
04fbd7b4ad79bc0e2045e8ed70bf2763

SHA1
4b8489f4a4f646ea266405a62d2aa461cf7d0913

SHA256
e3f2fa9b3a865004af710ac1576feee22d5ade19405ee8751b4c75b6dc59ff4e

SHA512
ebc2b5b20601020dbbf76fb201ada221d33afa1502aa29d3d664d22a2dce9692a51199bad3c5f742bbed667af8bf9b661c2a1f645eb2fd98308f5a27b4cee3b3

Download Submit
C:\Windows\SysWOW64\Ejkenpnp.exe

Filesize
1.9MB

MD5
04fbd7b4ad79bc0e2045e8ed70bf2763

SHA1
4b8489f4a4f646ea266405a62d2aa461cf7d0913

SHA256
e3f2fa9b3a865004af710ac1576feee22d5ade19405ee8751b4c75b6dc59ff4e

SHA512
ebc2b5b20601020dbbf76fb201ada221d33afa1502aa29d3d664d22a2dce9692a51199bad3c5f742bbed667af8bf9b661c2a1f645eb2fd98308f5a27b4cee3b3

Download Submit
C:\Windows\SysWOW64\Ennqpkcm.exe

Filesize
1.9MB

MD5
13d58e653dd1ed9dbd15dea66c115fe2

SHA1
b80cbb9c8bbdeb322826404adb5bae0e63d27f6a

SHA256
b8ffdd01c464b275bc982a27bb70a04d6b0db8427c6ed2eb4986a79b20f98283

SHA512
8c4140dd9dd2a386cca6aab2baae11466f7a1d74bf78510095f07f297dc952d99a90739817263e2338eedc89f00e16c3a88b1933b1779d6cca5239fad383a964

Download Submit
C:\Windows\SysWOW64\Fhflhcfa.exe

Filesize
1.9MB

MD5
3bd7b5f98d1af20eac46bac8b5ae346d

SHA1
1d47d8ffe1590fc07b1fc0a0ab049e5a90cdea3b

SHA256
70502ce5a32f72abf48de318e6bf66fca24fdc3375765dac174bb1b342948839

SHA512
bcc2cd0a5e52e60f9250b684961f8312420901d08dca4169007bffd72cef5b3d03ad7585998b05dd5f47c2349fe39e41a2a0f7c96b3d500d442250938c01709d

Download Submit
C:\Windows\SysWOW64\Fhflhcfa.exe

Filesize
1.9MB

MD5
3bd7b5f98d1af20eac46bac8b5ae346d

SHA1
1d47d8ffe1590fc07b1fc0a0ab049e5a90cdea3b

SHA256
70502ce5a32f72abf48de318e6bf66fca24fdc3375765dac174bb1b342948839

SHA512
bcc2cd0a5e52e60f9250b684961f8312420901d08dca4169007bffd72cef5b3d03ad7585998b05dd5f47c2349fe39e41a2a0f7c96b3d500d442250938c01709d

Download Submit
C:\Windows\SysWOW64\Fnofpqff.exe

Filesize
1.9MB

MD5
42acfc5f50769f219c8b26e18b7c9357

SHA1
f71f94e31b1d9594f56b8823884865d1ecd9fab7

SHA256
a791a87b2a8ce09dc47a33ed52bbd896fb367565e6b10eccb12679ed4ac0190b

SHA512
1e544ef36b85df71758336e629a5fdf52b3db89e2c135a8a8eaf0ce94a6f65a12e4c345250246e60487c21c56d7db97f1b7f1ae475e0ebc6b161ea448b8ca9c3

Download Submit
C:\Windows\SysWOW64\Fplnogmb.exe

Filesize
1.9MB

MD5
b6a8725030fad509ede89ad04c889ee2

SHA1
cbda57734bb72bd5728e1b3c7ff05db33d9bcc44

SHA256
beaf987bf51ecf4a8b625b25a82a9cb861563d81c2d78356d7b4889114b8c742

SHA512
ea32e29bc5e1721e0b47a0b96bbc0390560ad7a8f4f390ce96ef68df7c02f218ee2645a66e4399129831408731b698200bb498bed5eac428e70364c82dcb2284

Download Submit
C:\Windows\SysWOW64\Fplnogmb.exe

Filesize
1.9MB

MD5
b6a8725030fad509ede89ad04c889ee2

SHA1
cbda57734bb72bd5728e1b3c7ff05db33d9bcc44

SHA256
beaf987bf51ecf4a8b625b25a82a9cb861563d81c2d78356d7b4889114b8c742

SHA512
ea32e29bc5e1721e0b47a0b96bbc0390560ad7a8f4f390ce96ef68df7c02f218ee2645a66e4399129831408731b698200bb498bed5eac428e70364c82dcb2284

Download Submit
C:\Windows\SysWOW64\Ghqeihbb.exe

Filesize
1.9MB

MD5
8c05a79b026cb9bce7c0d3a955da54a3

SHA1
d1ce876354449a463167ff8b48b97b5f9bc22f83

SHA256
30eaf15a8d537b8a3f5db188f6d47303723e2dd19a3b70eacab49e484ff43b5e

SHA512
73f494e575fb044bd3da32f116c4b7e18e25fa4ed3ce03d98c93ff4391718e336e1362ceaa77e815856b786701900542e9bc19e677d6eb95264311064ab4cd65

Download Submit
C:\Windows\SysWOW64\Ghqeihbb.exe

Filesize
1.9MB

MD5
8c05a79b026cb9bce7c0d3a955da54a3

SHA1
d1ce876354449a463167ff8b48b97b5f9bc22f83

SHA256
30eaf15a8d537b8a3f5db188f6d47303723e2dd19a3b70eacab49e484ff43b5e

SHA512
73f494e575fb044bd3da32f116c4b7e18e25fa4ed3ce03d98c93ff4391718e336e1362ceaa77e815856b786701900542e9bc19e677d6eb95264311064ab4cd65

Download Submit
C:\Windows\SysWOW64\Gkeakl32.exe

Filesize
1.9MB

MD5
ddcc58a836e8e03568d74fb89f2086a2

SHA1
6ac5c9eb453fe51c4d146b8b5125fabc1acd1240

SHA256
b267dfde8e2b9bea73e994225269dcba5bdad64c70f6d56e5f124b6753588617

SHA512
fa7f9edf83a813d379b5355d91f1637bfc7f5227b556945227562be8160fb676f3e1966f81b6d406f6257c5ec12751319d7862077108a1e697f23590c6f621ac

Download Submit
C:\Windows\SysWOW64\Gkeakl32.exe

Filesize
1.9MB

MD5
ddcc58a836e8e03568d74fb89f2086a2

SHA1
6ac5c9eb453fe51c4d146b8b5125fabc1acd1240

SHA256
b267dfde8e2b9bea73e994225269dcba5bdad64c70f6d56e5f124b6753588617

SHA512
fa7f9edf83a813d379b5355d91f1637bfc7f5227b556945227562be8160fb676f3e1966f81b6d406f6257c5ec12751319d7862077108a1e697f23590c6f621ac

Download Submit
C:\Windows\SysWOW64\Gpjfng32.exe

Filesize
1.9MB

MD5
fd588404feea9db313a18de89bed2efa

SHA1
1e79f1cc6d15b21b0a5c2eee1c3a097949e4b2b8

SHA256
49e4ef81cc5c97a05fb832e7a18ae09cad1cdf8b30d49c80bf2c0e00921d14ab

SHA512
87079795d0cbfbc337e50463c45463f19beea5cc87a32de58117e9b87cbc4d702c2f1e008698465202c932665a136c1f3991e99c666fe6c5b7d19e81ef9c6ed1

Download Submit
C:\Windows\SysWOW64\Hlnqln32.exe

Filesize
1.9MB

MD5
0dff3ef44a25475ea8e8b7d5c675918d

SHA1
a41f3dd3650d55c7f2e6f432fcbe9877425d29f1

SHA256
4935b6759cddf1d2e086738a471e428d22a5dc8404a864642ad1d1f37b23aac4

SHA512
b0096bbce4837aa22c1e43645952e421b215ba6f98da80ecaec9fa011b3f8d6a8e00fb1f272a1c16b5c29bc92d9b0a5bbe22fee4cdd6d0c9ae09a333f1ed685a

Download Submit
C:\Windows\SysWOW64\Hlnqln32.exe

Filesize
1.9MB

MD5
0dff3ef44a25475ea8e8b7d5c675918d

SHA1
a41f3dd3650d55c7f2e6f432fcbe9877425d29f1

SHA256
4935b6759cddf1d2e086738a471e428d22a5dc8404a864642ad1d1f37b23aac4

SHA512
b0096bbce4837aa22c1e43645952e421b215ba6f98da80ecaec9fa011b3f8d6a8e00fb1f272a1c16b5c29bc92d9b0a5bbe22fee4cdd6d0c9ae09a333f1ed685a

Download Submit
C:\Windows\SysWOW64\Hpcmfchg.exe

Filesize
1.9MB

MD5
981677a0b5c2917deeaee3ef149b7dc9

SHA1
7707dab4e9432ee8e398b5096e2631e573accfc8

SHA256
1f141e86e5c5106c19b28f07ca64f293c43a478baf6bcbfc4b5ef25b9d88108d

SHA512
6f615f2d569e83bebca9ecb2518ccdb0142e2c43e01c3aa2d39bdf2b28afa767a8472cba61daab06424c81c8371f463d08ac16b52c654f4e3cc3aa6122a68d78

Download Submit
C:\Windows\SysWOW64\Hpcmfchg.exe

Filesize
1.9MB

MD5
981677a0b5c2917deeaee3ef149b7dc9

SHA1
7707dab4e9432ee8e398b5096e2631e573accfc8

SHA256
1f141e86e5c5106c19b28f07ca64f293c43a478baf6bcbfc4b5ef25b9d88108d

SHA512
6f615f2d569e83bebca9ecb2518ccdb0142e2c43e01c3aa2d39bdf2b28afa767a8472cba61daab06424c81c8371f463d08ac16b52c654f4e3cc3aa6122a68d78

Download Submit
C:\Windows\SysWOW64\Idkkki32.exe

Filesize
1.9MB

MD5
9af4ebccdcb3325a72b59988e8819455

SHA1
d43c218c705f1ad58fe70892fa376abd073d6584

SHA256
8ef9fa5ba5cdd03d423bc14f804e89f06e745a954c87b8d4a164d8db9654314b

SHA512
2aeb46c44566071524b8f3ed485b927db85f9a3e22292b530774338d44333395a5bfcb4604c987cdbd29d34116c5ef5f810db952e38a4f246852252270f3c515

Download Submit
C:\Windows\SysWOW64\Igieoleg.exe

Filesize
1.9MB

MD5
981677a0b5c2917deeaee3ef149b7dc9

SHA1
7707dab4e9432ee8e398b5096e2631e573accfc8

SHA256
1f141e86e5c5106c19b28f07ca64f293c43a478baf6bcbfc4b5ef25b9d88108d

SHA512
6f615f2d569e83bebca9ecb2518ccdb0142e2c43e01c3aa2d39bdf2b28afa767a8472cba61daab06424c81c8371f463d08ac16b52c654f4e3cc3aa6122a68d78

Download Submit
C:\Windows\SysWOW64\Igieoleg.exe

Filesize
1.9MB

MD5
9c0ea0535a7d1ac558d9d88202051a58

SHA1
f1a4b7320eda8518818c5e6f3f33623640997fa0

SHA256
315f84fadd0141ddb23be25a19936d07682f6a2df6a22c9e410e5008c73be0a5

SHA512
c7ae023bf8ef0c498115795d2e7d41e129e41c9d6716553078a6ced9edc206f8b395386c7b79ccfb32abb7e46181ca398c684625e2ae448bb95d40f3bf0f3293

Download Submit
C:\Windows\SysWOW64\Igieoleg.exe

Filesize
1.9MB

MD5
9c0ea0535a7d1ac558d9d88202051a58

SHA1
f1a4b7320eda8518818c5e6f3f33623640997fa0

SHA256
315f84fadd0141ddb23be25a19936d07682f6a2df6a22c9e410e5008c73be0a5

SHA512
c7ae023bf8ef0c498115795d2e7d41e129e41c9d6716553078a6ced9edc206f8b395386c7b79ccfb32abb7e46181ca398c684625e2ae448bb95d40f3bf0f3293

Download Submit
C:\Windows\SysWOW64\Ihfpabbd.exe

Filesize
1.9MB

MD5
a977105fbea9e5eb7a1dd20fa9e0f446

SHA1
a5c10b75a827555aaa58739d7e529fd55624a4fb

SHA256
9ebee5808761e4f59ca2bee0b0587535cfb2c74d1c72334cd14359d5ea97f570

SHA512
322a1204c544cfbdd1d133913e54dd5840a43e1eb342c5cccc81f7fe0befc16d3eb6976099b7bd219eb48bae8ac23c1dcaf87b2b52bb0290edf17cb27863eb9b

Download Submit
C:\Windows\SysWOW64\Jbmfig32.exe

Filesize
1.9MB

MD5
0e79615cd288fd022a69bde1104877c5

SHA1
3ede1a6eb5d1fd1f9451ac9ad7afa59a3539db0b

SHA256
365156e85a57cbd44e062ba57e4b9b861be7d5f43effb68b94687d5a4bcb1f52

SHA512
220c379aa907430f39ab17acba4ce344b894ea2cc947088dfd07ef84141ca08d41f3570a18e5b66df011ce9e3cc5714bd2887d379d7726b866a2d0deccce7892

Download Submit
C:\Windows\SysWOW64\Jdnqgg32.exe

Filesize
1.9MB

MD5
941504d5efee45bbb2e475dbf6550f70

SHA1
5cd992a711aa1c8481c69420fd014116a5c9163f

SHA256
83e4215adc3ef500d93ff4f15f4960494a5e55d80884205549b5565815710c72

SHA512
1cd13ada7cf701c3a9f853c5beab2b21f93a5adfe59998ca9082bc8d919eb8286302648b05ce688ba314bd2366052ba1a82df1f1465ff4095dd2c7e4dd0d4991

Download Submit
C:\Windows\SysWOW64\Jkomhhae.exe

Filesize
1.9MB

MD5
2911c60bfccff5582ca5056e702e7afb

SHA1
d99d5a064e6a63359127d64d38f9c23cb70a4b20

SHA256
3aa17def7dc27c88aafb6434ecc7cae71a4d78db28bfdc95b2ddf78b252a3be5

SHA512
14ffbf624cca594ff2c62783fac31b31099d17d40c2c6d4747480da0cadac21761f7cd732fa070f040aa6876d3c7f11f8fa4501b344b8fcbedaf2c20f5735f04

Download Submit
C:\Windows\SysWOW64\Jkomhhae.exe

Filesize
1.9MB

MD5
2911c60bfccff5582ca5056e702e7afb

SHA1
d99d5a064e6a63359127d64d38f9c23cb70a4b20

SHA256
3aa17def7dc27c88aafb6434ecc7cae71a4d78db28bfdc95b2ddf78b252a3be5

SHA512
14ffbf624cca594ff2c62783fac31b31099d17d40c2c6d4747480da0cadac21761f7cd732fa070f040aa6876d3c7f11f8fa4501b344b8fcbedaf2c20f5735f04

Download Submit
C:\Windows\SysWOW64\Jondojna.exe

Filesize
1.9MB

MD5
0c1d3ed23443ac2f3b93506445704766

SHA1
f68b5d4150f3939e23f49e48980dff76e300e9cb

SHA256
b26014caa201fa7d356c462e28330695d10e6c3d0589a55589f8a7575faa2511

SHA512
65cd3cd8cf68d45d5204af859ca42b931971a9d930faaab0883cde7fdab9f6f01d1cbbaa1f10ef06f46bfa6d506e486b3d9e38f49de3740683e4b42a701e7f48

Download Submit
C:\Windows\SysWOW64\Jqmicpbj.exe

Filesize
1.9MB

MD5
d808db5186d54f79136a7ea181a147f0

SHA1
90ef95210892c08005fb125eec063b0dce77305f

SHA256
be93320c5b8c8067da13be6038213166568e9da55d89c03dccabecc8e0e4d4a7

SHA512
38e31a75009765886cdb509a0cc01422e3fa2e8cc8da828f4948555e50591f5bd9f33c00a3c5fe10d34a36b91eb5e82dbd899e78530f0106de370ac6edd202e1

Download Submit
C:\Windows\SysWOW64\Jqmicpbj.exe

Filesize
1.9MB

MD5
d808db5186d54f79136a7ea181a147f0

SHA1
90ef95210892c08005fb125eec063b0dce77305f

SHA256
be93320c5b8c8067da13be6038213166568e9da55d89c03dccabecc8e0e4d4a7

SHA512
38e31a75009765886cdb509a0cc01422e3fa2e8cc8da828f4948555e50591f5bd9f33c00a3c5fe10d34a36b91eb5e82dbd899e78530f0106de370ac6edd202e1

Download Submit
C:\Windows\SysWOW64\Jqmicpbj.exe

Filesize
1.9MB

MD5
d808db5186d54f79136a7ea181a147f0

SHA1
90ef95210892c08005fb125eec063b0dce77305f

SHA256
be93320c5b8c8067da13be6038213166568e9da55d89c03dccabecc8e0e4d4a7

SHA512
38e31a75009765886cdb509a0cc01422e3fa2e8cc8da828f4948555e50591f5bd9f33c00a3c5fe10d34a36b91eb5e82dbd899e78530f0106de370ac6edd202e1

Download Submit
C:\Windows\SysWOW64\Kjqfmn32.exe

Filesize
1.9MB

MD5
2d47e4be73ff92b2770f32f8ec3e13d7

SHA1
c93cd4f24f0245642f20d32a6620c1ca1e2e5eb6

SHA256
898821accc875627bc0414471788837c99f69c8a455c1059911278f4f7e2606e

SHA512
0d02053998d1aa45a27e00856e632295cf93e3a021f4aa02fa7365d1e6610303ad4af62b7b812b017b5efbeb0781b9826be148b0c520595fdc719a83a5bce026

Download Submit
C:\Windows\SysWOW64\Kjqfmn32.exe

Filesize
1.9MB

MD5
2d47e4be73ff92b2770f32f8ec3e13d7

SHA1
c93cd4f24f0245642f20d32a6620c1ca1e2e5eb6

SHA256
898821accc875627bc0414471788837c99f69c8a455c1059911278f4f7e2606e

SHA512
0d02053998d1aa45a27e00856e632295cf93e3a021f4aa02fa7365d1e6610303ad4af62b7b812b017b5efbeb0781b9826be148b0c520595fdc719a83a5bce026

Download Submit
C:\Windows\SysWOW64\Kojdkhdd.exe

Filesize
1.9MB

MD5
f869a70792766242c55896cf59cfc252

SHA1
2c58e1f84ee2ebd3f6ad551c908bda12908c0345

SHA256
73af14bc3b779d27d7cea2d823ff975b3f442cd9ea6dc7a5da79b7c702f38c21

SHA512
78b82269aee7f2e1f846b6f4e3d990ec6f4883941a11c836a196ceadabd1d2c4af0161b2e8694c4bb5bd0368443d8544ae6966b8341f83067cbe8e3053f820b2

Download Submit
C:\Windows\SysWOW64\Lcbmlbig.exe

Filesize
1.9MB

MD5
79a040d05da90cb710cb8db2ea9d207d

SHA1
9626b6544c845e8a17bb9dcd7fbba30570bf464d

SHA256
92e2dd3d9e7a6cdf1e0d19270164096f300a1d8a8b8092cf5a89798179308719

SHA512
0fb0d83dd8c9566ad909f22c1196b1fd7e7f1a80a4233fa00f96266b632859d4c7e4b0818b2ef60ed53c4eef166905ee473824508651b3b5ce08faab34a7820a

Download Submit
C:\Windows\SysWOW64\Lcbmlbig.exe

Filesize
1.9MB

MD5
79a040d05da90cb710cb8db2ea9d207d

SHA1
9626b6544c845e8a17bb9dcd7fbba30570bf464d

SHA256
92e2dd3d9e7a6cdf1e0d19270164096f300a1d8a8b8092cf5a89798179308719

SHA512
0fb0d83dd8c9566ad909f22c1196b1fd7e7f1a80a4233fa00f96266b632859d4c7e4b0818b2ef60ed53c4eef166905ee473824508651b3b5ce08faab34a7820a

Download Submit
C:\Windows\SysWOW64\Lgnleiid.exe

Filesize
1.9MB

MD5
322d6482b8779a3c4885b6e4237eb243

SHA1
3e475521e1ca3cc1e5d3e64b4de024e839e01bb2

SHA256
3d02330a5e1f2bdb713644435b392bc05c21dde9ace463dbb958f98d1b2a39bd

SHA512
6048e7fc47c00f297f94c1115abdbc1999d7571732514c25b9712ff327b8051fa6f52ce8c2a36e85bfa2df098d4e630c207b9cd434ab335437a287de8cea5147

Download Submit
C:\Windows\SysWOW64\Lpghfi32.exe

Filesize
1.9MB

MD5
5ff82ebb753982f4bc7f82d613f2a02b

SHA1
8000a8a3ec299cddfbfca037549cc525fe797970

SHA256
23412dc4b59bce3bf7b6dd4fe27b7e7f510213f1e9e05ac835e808a40be20726

SHA512
c933ec86dc87d6b797c33b3095d63e73379d70cec80851c8261e1b701755f7d470cd85b0ed09fb4f4bab0abf7c669f54233d9cd431a211d50036643aa6e75e89

Download Submit
C:\Windows\SysWOW64\Lpghfi32.exe

Filesize
1.9MB

MD5
5ff82ebb753982f4bc7f82d613f2a02b

SHA1
8000a8a3ec299cddfbfca037549cc525fe797970

SHA256
23412dc4b59bce3bf7b6dd4fe27b7e7f510213f1e9e05ac835e808a40be20726

SHA512
c933ec86dc87d6b797c33b3095d63e73379d70cec80851c8261e1b701755f7d470cd85b0ed09fb4f4bab0abf7c669f54233d9cd431a211d50036643aa6e75e89

Download Submit
C:\Windows\SysWOW64\Maaoaa32.exe

Filesize
1.9MB

MD5
9019c2c1b0cd39f6898b92263703f0d7

SHA1
1d4bdc8fbfc808a71fd2f56fe38088d314018aeb

SHA256
e5a86214311d33c0811a853a12a3a4087ea8e6fc231f7bd0798377270e5beb25

SHA512
1a8ff0e18b6efccbd41d8382c417fd860a6b037f7215f0d0ab5a9ea30030edc25f175af6e5b333244dbb55fbf39c2037a58d431741319be710a195e7036f7a98

Download Submit
C:\Windows\SysWOW64\Maaoaa32.exe

Filesize
1.9MB

MD5
9019c2c1b0cd39f6898b92263703f0d7

SHA1
1d4bdc8fbfc808a71fd2f56fe38088d314018aeb

SHA256
e5a86214311d33c0811a853a12a3a4087ea8e6fc231f7bd0798377270e5beb25

SHA512
1a8ff0e18b6efccbd41d8382c417fd860a6b037f7215f0d0ab5a9ea30030edc25f175af6e5b333244dbb55fbf39c2037a58d431741319be710a195e7036f7a98

Download Submit
C:\Windows\SysWOW64\Mabdlk32.exe

Filesize
1.9MB

MD5
a30af468f2ce5b731e3bdc7ae90bf383

SHA1
812fd96168cfa577b2f482624fa6686a29d7bc2a

SHA256
0d4e64d8893b8f59423a41f813ecbaf0fce5165aa266ae73a6ac0be73174b653

SHA512
1bcd59fd40e9340d954085134d46ab37e136c5a24ecae93bcdccdf556c389459c1c9fa33fd8afbe4d661f0b393402aa43255d05b409557eb9f40231d72a254c7

Download Submit
C:\Windows\SysWOW64\Mabdlk32.exe

Filesize
1.9MB

MD5
a30af468f2ce5b731e3bdc7ae90bf383

SHA1
812fd96168cfa577b2f482624fa6686a29d7bc2a

SHA256
0d4e64d8893b8f59423a41f813ecbaf0fce5165aa266ae73a6ac0be73174b653

SHA512
1bcd59fd40e9340d954085134d46ab37e136c5a24ecae93bcdccdf556c389459c1c9fa33fd8afbe4d661f0b393402aa43255d05b409557eb9f40231d72a254c7

Download Submit
C:\Windows\SysWOW64\Mminfech.exe

Filesize
1.9MB

MD5
22217364e7e6cf8f2a8aea3bacb2f87d

SHA1
25b03c8703cd31a2cca1885a5046e00e5e7a922f

SHA256
db03dfacd995fc5f254ccaf2918a3b2d156e208d6bd208b1c80dd102727d7962

SHA512
1ea8f4c44a8e014a38f0dff3bac272eb7db1df378d0b0148bff15cfe75d424b5f9f7f1814746adea2e179c0ba7c50ace1fdfcb43e2f25c1400d849e9724f4353

Download Submit
C:\Windows\SysWOW64\Mminfech.exe

Filesize
1.9MB

MD5
22217364e7e6cf8f2a8aea3bacb2f87d

SHA1
25b03c8703cd31a2cca1885a5046e00e5e7a922f

SHA256
db03dfacd995fc5f254ccaf2918a3b2d156e208d6bd208b1c80dd102727d7962

SHA512
1ea8f4c44a8e014a38f0dff3bac272eb7db1df378d0b0148bff15cfe75d424b5f9f7f1814746adea2e179c0ba7c50ace1fdfcb43e2f25c1400d849e9724f4353

Download Submit
C:\Windows\SysWOW64\Mnggnh32.exe

Filesize
1.9MB

MD5
2e65d6f5772d4dcd06bc561ec308ec38

SHA1
148effa604f95bd4dd12a49b28d911b8f572eb72

SHA256
8b21a35f72f2f0f65b68e7d4a8901b3eee4fa52fbe6d782f8a886b8b5ad03fb3

SHA512
9559b8501d47cda04d05748e805935b643daf678dc9f02a44c96d40144e01e46b92a31a40b86bce492922b8b060a4da409772edffe505c001b5504ad064f1cd6

Download Submit
C:\Windows\SysWOW64\Nbjhph32.exe

Filesize
1.9MB

MD5
5a54cd5342cff54191b0cc687edfbf41

SHA1
5d8e06dd99fbef2323b5b48a04a094b2018b9771

SHA256
1ab1f31400198b319be213649bb7204604d8b5e2942dd399bc42d1b52fc0c191

SHA512
73d6e3896311abd7b46e2ad64d150a09cddfc2b0f4b57fd9071f7d4a9afda9eab347e033182e4af0f067c0d093befe1fe659cc2dbac21ae2110fd76cad781700

Download Submit
C:\Windows\SysWOW64\Ndliin32.exe

Filesize
768KB

MD5
e7c6a2532efafe5734a49b75dc51af80

SHA1
b1cd4bf580e02783d6203d0f31e585cfac37f82e

SHA256
1be4d97041c8ab8bc2085a9f52fda4f81adfcadcd2ce49b33e96c27bc0a14b19

SHA512
e039de97f888d8700cfc4f969876749b64fa7fbdc219dfb04eec1ba5600efbf786e86e8c97281bd255c32254cff4122d0592e35466e7d80efbdf028878e5a75d

Download Submit
C:\Windows\SysWOW64\Ndliin32.exe

Filesize
1.9MB

MD5
ba5d4d871790df27fd7c80b1e0c67c04

SHA1
aaf2c82aa6cf0f74e8e5193be512c316a53b89b2

SHA256
598b0351de56c7649124e2b70cd05a130f2da85d81259f6b4447ce88ee22babc

SHA512
bc69d6d7497835e57d7f34e86acd6cab6a3c50e5743befa3de666e4992408e0cf73e60679fbd54ec6b522af8e75f68666f40ce98b3ad3b0bfc36b52130a3f901

Download Submit
C:\Windows\SysWOW64\Ndliin32.exe

Filesize
1.9MB

MD5
ba5d4d871790df27fd7c80b1e0c67c04

SHA1
aaf2c82aa6cf0f74e8e5193be512c316a53b89b2

SHA256
598b0351de56c7649124e2b70cd05a130f2da85d81259f6b4447ce88ee22babc

SHA512
bc69d6d7497835e57d7f34e86acd6cab6a3c50e5743befa3de666e4992408e0cf73e60679fbd54ec6b522af8e75f68666f40ce98b3ad3b0bfc36b52130a3f901

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
1.9MB

MD5
e0e879dbb0c204d25c229edc3ddd6da2

SHA1
526e1e074e41fe401cea9a581adf996c4b837afa

SHA256
d01b4b16c0142c1766cccadc9690792fa20a93ba3a2d8ab52f384840948164b5

SHA512
470ec316e366f213ca73813f301ac493aea6cadab43b52606d7337f044ac61fc1e0343c65539bc39ddc171ea332bfec0b287890a51bf76fbebdbe721866b585e

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
1.9MB

MD5
e0e879dbb0c204d25c229edc3ddd6da2

SHA1
526e1e074e41fe401cea9a581adf996c4b837afa

SHA256
d01b4b16c0142c1766cccadc9690792fa20a93ba3a2d8ab52f384840948164b5

SHA512
470ec316e366f213ca73813f301ac493aea6cadab43b52606d7337f044ac61fc1e0343c65539bc39ddc171ea332bfec0b287890a51bf76fbebdbe721866b585e

Download Submit
C:\Windows\SysWOW64\Ohdbkh32.exe

Filesize
1.9MB

MD5
80a47e7114c9b313a88ded65ecdbf417

SHA1
8617373629889d42e57765ee5e9759d6688a2b41

SHA256
85ead0d265886f3335363607916594bf31d75987d82534e826891fd2252d5ef9

SHA512
bc71bf0b31a7b4889963ade5c81af3298a1577aa3c03892cf8d2b99b4b36d54ec55c15884e9ac5a18036e868578b5d2392d53a4ab581c057453110e153891052

Download Submit
C:\Windows\SysWOW64\Ohdbkh32.exe

Filesize
1.9MB

MD5
80a47e7114c9b313a88ded65ecdbf417

SHA1
8617373629889d42e57765ee5e9759d6688a2b41

SHA256
85ead0d265886f3335363607916594bf31d75987d82534e826891fd2252d5ef9

SHA512
bc71bf0b31a7b4889963ade5c81af3298a1577aa3c03892cf8d2b99b4b36d54ec55c15884e9ac5a18036e868578b5d2392d53a4ab581c057453110e153891052

Download Submit
C:\Windows\SysWOW64\Oklifdmi.exe

Filesize
1.9MB

MD5
a228d6b612639065aa2bd99847fdd422

SHA1
88d1e625658ca79b6bd58dad7a490017778b87f4

SHA256
dc1b2becf6afa888c9b4dcc5c7b91adcce54d622196e969149a201bf8e5436a5

SHA512
88c6d53111ecc8b88179b4baf9fe62123f42421b070af42cefd6a86c557c5cb2acf86efbaf9f1bdfa6a486b37a27537dbb8bbb4ade48b45cf24a3a649a7ea174

Download Submit
C:\Windows\SysWOW64\Oklifdmi.exe

Filesize
1.9MB

MD5
a228d6b612639065aa2bd99847fdd422

SHA1
88d1e625658ca79b6bd58dad7a490017778b87f4

SHA256
dc1b2becf6afa888c9b4dcc5c7b91adcce54d622196e969149a201bf8e5436a5

SHA512
88c6d53111ecc8b88179b4baf9fe62123f42421b070af42cefd6a86c557c5cb2acf86efbaf9f1bdfa6a486b37a27537dbb8bbb4ade48b45cf24a3a649a7ea174

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
1.9MB

MD5
4b8c8c2d1f52f56bb36afb0362f1f065

SHA1
8a2cd7a7a373597ddb05cd30900f5801c9cb2fa1

SHA256
86a5b6d2f91de47d49d3eb9ccd42ae6f9860def95c994f19ec870d8e5d2455c0

SHA512
2f505a311ad877424ee2f4452a670b1a49aaa17bb006320351af192dbeff46dc534cad115b865ee49ce7b6c5d88992f545e7c8f867385a6d635c7589e25b320c

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
1.9MB

MD5
4b8c8c2d1f52f56bb36afb0362f1f065

SHA1
8a2cd7a7a373597ddb05cd30900f5801c9cb2fa1

SHA256
86a5b6d2f91de47d49d3eb9ccd42ae6f9860def95c994f19ec870d8e5d2455c0

SHA512
2f505a311ad877424ee2f4452a670b1a49aaa17bb006320351af192dbeff46dc534cad115b865ee49ce7b6c5d88992f545e7c8f867385a6d635c7589e25b320c

Download Submit
C:\Windows\SysWOW64\Pbmffi32.exe

Filesize
1.9MB

MD5
741a7123dac02fc3d767a1232afcc3d1

SHA1
9fa47c04a3f8a6f4e4d8cf35137a315840d43a6a

SHA256
0b71c2e4ff8e71052da8dcbbcceb4c461610887e256498c72bbfd6798666de98

SHA512
9a2b109cbaec53db9af0d7c4bf8773ff46d078ce1f9c174308274c5b49794fafa451208905e6e24b9925ad35ab764585175e3a331766b61ed15e9f581b2f3a32

Download Submit
C:\Windows\SysWOW64\Pbmffi32.exe

Filesize
1.9MB

MD5
741a7123dac02fc3d767a1232afcc3d1

SHA1
9fa47c04a3f8a6f4e4d8cf35137a315840d43a6a

SHA256
0b71c2e4ff8e71052da8dcbbcceb4c461610887e256498c72bbfd6798666de98

SHA512
9a2b109cbaec53db9af0d7c4bf8773ff46d078ce1f9c174308274c5b49794fafa451208905e6e24b9925ad35ab764585175e3a331766b61ed15e9f581b2f3a32

Download Submit
C:\Windows\SysWOW64\Pclnon32.exe

Filesize
1.9MB

MD5
d3f7c6507c957a6965a687fff8ebc472

SHA1
0ff1661cd68a658498e209dabfb941485dda5609

SHA256
2028da4f84524ea94f913905b70514429377fdb0434729a9b177e7d4fe3000f2

SHA512
e9ef1e4597da1e113ed9a9493b95bf3a7d9e3bc55f95ea099dc3ee12a4f6289c5ccc04156ff30c1a22a17a6066a68c3df74e2a96f89bd47657db1d07db2ac9f4

Download Submit
C:\Windows\SysWOW64\Phpbffnp.exe

Filesize
1.9MB

MD5
e1cc195f2f6ac690af412e676fa82445

SHA1
21cbb08f9f81054082010fdda5e384d1ed072543

SHA256
c233cf404ce449ab101207722fc50d7cfd112a3417ddc1fcd6166378707a7565

SHA512
4f846ac25507ab8fd236e65ec0547cdb415b057bf114d64880c11fbb57798b69ce530ba54e74a015f2575b43f458f5921d01bc3ef2c9906530ad3f9714715d6c

Download Submit
C:\Windows\SysWOW64\Phpbffnp.exe

Filesize
1.9MB

MD5
e1cc195f2f6ac690af412e676fa82445

SHA1
21cbb08f9f81054082010fdda5e384d1ed072543

SHA256
c233cf404ce449ab101207722fc50d7cfd112a3417ddc1fcd6166378707a7565

SHA512
4f846ac25507ab8fd236e65ec0547cdb415b057bf114d64880c11fbb57798b69ce530ba54e74a015f2575b43f458f5921d01bc3ef2c9906530ad3f9714715d6c

Download Submit
C:\Windows\SysWOW64\Ppdjpcng.exe

Filesize
1.9MB

MD5
b2efa334b4a0a9eff5e2f2f44892f1fd

SHA1
5b723d07a46775f7b2dd45b0b1988e142e326037

SHA256
3781d5bcdb9701465f240f8062e53d18487f6df28ef60622fe22ca22d3f7ba85

SHA512
b4e5a12aef7dc80a9b97814e4e5e56edabc13e755c2b590b22947922476ab3d82671024b7b3143db4f141d12f918e3dbc57fba1d7c704f7a688e14fed6869eb4

Download Submit
C:\Windows\SysWOW64\Ppdjpcng.exe

Filesize
1.9MB

MD5
b2efa334b4a0a9eff5e2f2f44892f1fd

SHA1
5b723d07a46775f7b2dd45b0b1988e142e326037

SHA256
3781d5bcdb9701465f240f8062e53d18487f6df28ef60622fe22ca22d3f7ba85

SHA512
b4e5a12aef7dc80a9b97814e4e5e56edabc13e755c2b590b22947922476ab3d82671024b7b3143db4f141d12f918e3dbc57fba1d7c704f7a688e14fed6869eb4

Download Submit
C:\Windows\SysWOW64\Qdflaa32.exe

Filesize
1.9MB

MD5
4000f879406d34c3006ca8458ecab003

SHA1
19570c5aa051b2df12af9d20e568305471bbf994

SHA256
758173d1dac81679be18e9c3dfb4d0491ecfea812f4b22542aa927ef731083b5

SHA512
af6c47a8e43a10055ff162d261c0fdced2ac38b901c865bdf34576e4aad8e7100ed422b76a0d94b8d209c8373119e2e6f5d129ea0f1a15862cf53a82b5591f1e

Download Submit
C:\Windows\SysWOW64\Qdflaa32.exe

Filesize
1.9MB

MD5
4000f879406d34c3006ca8458ecab003

SHA1
19570c5aa051b2df12af9d20e568305471bbf994

SHA256
758173d1dac81679be18e9c3dfb4d0491ecfea812f4b22542aa927ef731083b5

SHA512
af6c47a8e43a10055ff162d261c0fdced2ac38b901c865bdf34576e4aad8e7100ed422b76a0d94b8d209c8373119e2e6f5d129ea0f1a15862cf53a82b5591f1e

Download Submit
memory/224-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads