bruteratel | 8eef2a9b1e72f1468ce78b38c0e44131f8d57990c2ddb76622fe9b35970a1380

Analysis

max time kernel
18s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe
Size

467KB
MD5

42978971ffb6ee905fbcdbd2e50ee8da
SHA1

7f8c6205716411ffaf7417163c25df39ef6b6d64
SHA256

8eef2a9b1e72f1468ce78b38c0e44131f8d57990c2ddb76622fe9b35970a1380
SHA512

acde2fbb35556cf57bce02447e05575a1f5ce5d4caf11ca66ecf531b54ec6401fa6de1fee3b1516be628e69f885d6bb9c3a2f33e7911d1d0d3c455352fb2be30
SSDEEP

12288:MCX52o8wE39uW8wESByvNv54B9f01ZmHByvNv5:MCp2o8wDW8wQvr4B9f01ZmQvr

Score

10^/10

bruteratel backdoor persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbnmke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidinqpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obcled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obcled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjqec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmfgek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekdnei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiclodaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnmjkahi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglhgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keifdpif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlmcmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbjena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojfcdnjc.exe

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Executes dropped EXE 64 IoCs

pid	Process
3336	Akglloai.exe
3392	Bdpaeehj.exe
3984	Boeebnhp.exe
5016	Blnoga32.exe
4868	Bdickcpo.exe
1020	Cfkmkf32.exe
4304	Cbdjeg32.exe
4832	Cbfgkffn.exe
2968	Dnpdegjp.exe
1164	Dbnmke32.exe
4836	Dodjjimm.exe
2124	Deqcbpld.exe
2328	Ekkkoj32.exe
1800	Ebgpad32.exe
1868	Eiahnnph.exe
4740	Ennqfenp.exe
4300	Enpmld32.exe
852	Eejeiocj.exe
4864	Ekdnei32.exe
3772	Ebnfbcbc.exe
1304	Fihnomjp.exe
3808	Flfkkhid.exe
3216	Fbpchb32.exe
5008	Fmfgek32.exe
3512	Fngcmcfe.exe
1876	Fimhjl32.exe
648	Fpgpgfmh.exe
4828	Ffqhcq32.exe
3380	Fpimlfke.exe
2544	Fefedmil.exe
912	Flpmagqi.exe
3776	Fbjena32.exe
1408	Gmojkj32.exe
2500	Gnqfcbnj.exe
4524	Gifkpknp.exe
4600	Gfjkjo32.exe
180	Gihgfk32.exe
4192	Gnepna32.exe
4752	Gflhoo32.exe
2740	Glipgf32.exe
1100	Gbchdp32.exe
5044	Gimqajgh.exe
3080	Gojiiafp.exe
4932	Hfaajnfb.exe
2076	Hmkigh32.exe
1404	Holfoqcm.exe
1680	Hefnkkkj.exe
1880	Hlpfhe32.exe
1580	Klcekpdo.exe
960	Kcmmhj32.exe
4948	Kncaec32.exe
4116	Kcbfcigf.exe
3212	Lljklo32.exe
3556	Lnjgfb32.exe
408	Ljqhkckn.exe
3920	Lcimdh32.exe
4228	Lopmii32.exe
4368	Lnangaoa.exe
2628	Lcnfohmi.exe
4496	Lncjlq32.exe
4452	Mmhgmmbf.exe
3436	Mfqlfb32.exe
2580	Mnhdgpii.exe
2568	Mcelpggq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjmdlh32.dll	Holfoqcm.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Jhkilook.dll	Obcled32.exe
File opened for modification	C:\Windows\SysWOW64\Jidinqpb.exe	Fnmjkahi.exe
File created	C:\Windows\SysWOW64\Gimqajgh.exe	Gbchdp32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Process not Found
File created	C:\Windows\SysWOW64\Glipgf32.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mgbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Pnfiplog.exe
File opened for modification	C:\Windows\SysWOW64\Pjmjdm32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Epoaed32.dll	Dakikoom.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Process not Found
File created	C:\Windows\SysWOW64\Kcmmhj32.exe	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Jldbpl32.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Mhoahh32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Mglhgg32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Okkidceh.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Fnmjkahi.exe
File opened for modification	C:\Windows\SysWOW64\Kiphjo32.exe	Giacmggo.exe
File created	C:\Windows\SysWOW64\Lcnfohmi.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Gcgplk32.dll	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Fpimlfke.exe	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Gfjkjo32.exe	Gldglf32.exe
File created	C:\Windows\SysWOW64\Dglkoeio.exe	Doagjc32.exe
File created	C:\Windows\SysWOW64\Ofblbapl.dll	Fijdjfdb.exe
File created	C:\Windows\SysWOW64\Dndhqgbm.dll	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Cbdjeg32.exe	Cfkmkf32.exe
File created	C:\Windows\SysWOW64\Qhjmdp32.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Hbnckkha.dll	Enkmfolf.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Process not Found
File created	C:\Windows\SysWOW64\Dbnmke32.exe	Dnpdegjp.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Anhaoj32.dll	Fbplml32.exe
File created	C:\Windows\SysWOW64\Eiidnkam.dll	Process not Found
File created	C:\Windows\SysWOW64\Caageq32.exe	Kleiid32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Mpkcqhdh.dll	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Bpfljc32.dll	Blkkaohc.exe
File created	C:\Windows\SysWOW64\Gpmenm32.dll	Iojkeh32.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Qikoka32.dll	Gimqajgh.exe
File created	C:\Windows\SysWOW64\Dnpdegjp.exe	Cbfgkffn.exe
File created	C:\Windows\SysWOW64\Ofpnmakg.dll	Enpmld32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Fdlkdhnk.exe	Aiclodaj.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Fkfcqb32.exe
File created	C:\Windows\SysWOW64\Fqgedh32.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Hnjfof32.dll	Process not Found
File created	C:\Windows\SysWOW64\Lpamfo32.dll	NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe
File created	C:\Windows\SysWOW64\Hlkfbocp.exe	Dnhgidka.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lohqnd32.exe
File created	C:\Windows\SysWOW64\Lopmii32.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Mcelpggq.exe	Mnhdgpii.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Fofilp32.exe	Feqeog32.exe
File created	C:\Windows\SysWOW64\Qgiiak32.dll	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Eejeiocj.exe	Enpmld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deqcbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll"	Fpimlfke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkkjnjg.dll"	Boeebnhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbchdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll"	Lopmii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcbfcigf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obcled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll"	Mieeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbai32.dll"	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknkchkd.dll"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mieeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fijdjfdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbhekk.dll"	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll"	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhmnn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3336	4216	NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe	84
PID 4216 wrote to memory of 3336	4216	NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe	84
PID 4216 wrote to memory of 3336	4216	NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe	84
PID 3336 wrote to memory of 3392	3336	Akglloai.exe	85
PID 3336 wrote to memory of 3392	3336	Akglloai.exe	85
PID 3336 wrote to memory of 3392	3336	Akglloai.exe	85
PID 3392 wrote to memory of 3984	3392	Bdpaeehj.exe	86
PID 3392 wrote to memory of 3984	3392	Bdpaeehj.exe	86
PID 3392 wrote to memory of 3984	3392	Bdpaeehj.exe	86
PID 3984 wrote to memory of 5016	3984	Boeebnhp.exe	87
PID 3984 wrote to memory of 5016	3984	Boeebnhp.exe	87
PID 3984 wrote to memory of 5016	3984	Boeebnhp.exe	87
PID 5016 wrote to memory of 4868	5016	Blnoga32.exe	88
PID 5016 wrote to memory of 4868	5016	Blnoga32.exe	88
PID 5016 wrote to memory of 4868	5016	Blnoga32.exe	88
PID 4868 wrote to memory of 1020	4868	Bdickcpo.exe	89
PID 4868 wrote to memory of 1020	4868	Bdickcpo.exe	89
PID 4868 wrote to memory of 1020	4868	Bdickcpo.exe	89
PID 1020 wrote to memory of 4304	1020	Cfkmkf32.exe	90
PID 1020 wrote to memory of 4304	1020	Cfkmkf32.exe	90
PID 1020 wrote to memory of 4304	1020	Cfkmkf32.exe	90
PID 4304 wrote to memory of 4832	4304	Cbdjeg32.exe	91
PID 4304 wrote to memory of 4832	4304	Cbdjeg32.exe	91
PID 4304 wrote to memory of 4832	4304	Cbdjeg32.exe	91
PID 4832 wrote to memory of 2968	4832	Cbfgkffn.exe	92
PID 4832 wrote to memory of 2968	4832	Cbfgkffn.exe	92
PID 4832 wrote to memory of 2968	4832	Cbfgkffn.exe	92
PID 2968 wrote to memory of 1164	2968	Dnpdegjp.exe	93
PID 2968 wrote to memory of 1164	2968	Dnpdegjp.exe	93
PID 2968 wrote to memory of 1164	2968	Dnpdegjp.exe	93
PID 1164 wrote to memory of 4836	1164	Dbnmke32.exe	94
PID 1164 wrote to memory of 4836	1164	Dbnmke32.exe	94
PID 1164 wrote to memory of 4836	1164	Dbnmke32.exe	94
PID 4836 wrote to memory of 2124	4836	Dodjjimm.exe	95
PID 4836 wrote to memory of 2124	4836	Dodjjimm.exe	95
PID 4836 wrote to memory of 2124	4836	Dodjjimm.exe	95
PID 2124 wrote to memory of 2328	2124	Deqcbpld.exe	131
PID 2124 wrote to memory of 2328	2124	Deqcbpld.exe	131
PID 2124 wrote to memory of 2328	2124	Deqcbpld.exe	131
PID 2328 wrote to memory of 1800	2328	Ekkkoj32.exe	96
PID 2328 wrote to memory of 1800	2328	Ekkkoj32.exe	96
PID 2328 wrote to memory of 1800	2328	Ekkkoj32.exe	96
PID 1800 wrote to memory of 1868	1800	Ebgpad32.exe	130
PID 1800 wrote to memory of 1868	1800	Ebgpad32.exe	130
PID 1800 wrote to memory of 1868	1800	Ebgpad32.exe	130
PID 1868 wrote to memory of 4740	1868	Eiahnnph.exe	97
PID 1868 wrote to memory of 4740	1868	Eiahnnph.exe	97
PID 1868 wrote to memory of 4740	1868	Eiahnnph.exe	97
PID 4740 wrote to memory of 4300	4740	Ennqfenp.exe	98
PID 4740 wrote to memory of 4300	4740	Ennqfenp.exe	98
PID 4740 wrote to memory of 4300	4740	Ennqfenp.exe	98
PID 4300 wrote to memory of 852	4300	Enpmld32.exe	99
PID 4300 wrote to memory of 852	4300	Enpmld32.exe	99
PID 4300 wrote to memory of 852	4300	Enpmld32.exe	99
PID 852 wrote to memory of 4864	852	Eejeiocj.exe	129
PID 852 wrote to memory of 4864	852	Eejeiocj.exe	129
PID 852 wrote to memory of 4864	852	Eejeiocj.exe	129
PID 4864 wrote to memory of 3772	4864	Ekdnei32.exe	128
PID 4864 wrote to memory of 3772	4864	Ekdnei32.exe	128
PID 4864 wrote to memory of 3772	4864	Ekdnei32.exe	128
PID 3772 wrote to memory of 1304	3772	Ebnfbcbc.exe	127
PID 3772 wrote to memory of 1304	3772	Ebnfbcbc.exe	127
PID 3772 wrote to memory of 1304	3772	Ebnfbcbc.exe	127
PID 1304 wrote to memory of 3808	1304	Fihnomjp.exe	126

C:\Users\Admin\AppData\Local\Temp\NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.42978971ffb6ee905fbcdbd2e50ee8da.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\Akglloai.exe
  C:\Windows\system32\Akglloai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\Bdpaeehj.exe
    C:\Windows\system32\Bdpaeehj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\Boeebnhp.exe
      C:\Windows\system32\Boeebnhp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Cnnllhpa.exe
        
        C:\Windows\system32\Cnnllhpa.exe
        15⤵
        
        PID:4004
    - - C:\Windows\SysWOW64\Egpgehnb.exe
        
        C:\Windows\system32\Egpgehnb.exe
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Eibmlc32.exe
        
        C:\Windows\system32\Eibmlc32.exe
        7⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\Fdhail32.exe
        
        C:\Windows\system32\Fdhail32.exe
        8⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\Fpandm32.exe
        
        C:\Windows\system32\Fpandm32.exe
        9⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\Ffnglc32.exe
        
        C:\Windows\system32\Ffnglc32.exe
        10⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\Fgpplf32.exe
        
        C:\Windows\system32\Fgpplf32.exe
        11⤵
        
        PID:12572

C:\Windows\SysWOW64\Ebgpad32.exe
C:\Windows\system32\Ebgpad32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\Eiahnnph.exe
  C:\Windows\system32\Eiahnnph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1868

C:\Windows\SysWOW64\Ennqfenp.exe
C:\Windows\system32\Ennqfenp.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\Enpmld32.exe
  C:\Windows\system32\Enpmld32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\Eejeiocj.exe
    C:\Windows\system32\Eejeiocj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\Ekdnei32.exe
      C:\Windows\system32\Ekdnei32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4864

C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:648
- C:\Windows\SysWOW64\Ffqhcq32.exe
  C:\Windows\system32\Ffqhcq32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4828

C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
1⤵
- Executes dropped EXE
PID:2544
- C:\Windows\SysWOW64\Flpmagqi.exe
  C:\Windows\system32\Flpmagqi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:912

C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
1⤵
- Executes dropped EXE
PID:2500
- C:\Windows\SysWOW64\Gifkpknp.exe
  C:\Windows\system32\Gifkpknp.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- - C:\Windows\SysWOW64\Gldglf32.exe
    C:\Windows\system32\Gldglf32.exe
    3⤵
    - Drops file in System32 directory
    PID:3812

C:\Windows\SysWOW64\Gfjkjo32.exe
C:\Windows\system32\Gfjkjo32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4600
- C:\Windows\SysWOW64\Gihgfk32.exe
  C:\Windows\system32\Gihgfk32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:180

C:\Windows\SysWOW64\Gnepna32.exe
C:\Windows\system32\Gnepna32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4192
- C:\Windows\SysWOW64\Gflhoo32.exe
  C:\Windows\system32\Gflhoo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4752

C:\Windows\SysWOW64\Glipgf32.exe
C:\Windows\system32\Glipgf32.exe
1⤵
- Executes dropped EXE
PID:2740
- C:\Windows\SysWOW64\Gbchdp32.exe
  C:\Windows\system32\Gbchdp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1100

C:\Windows\SysWOW64\Gimqajgh.exe
C:\Windows\system32\Gimqajgh.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5044
- C:\Windows\SysWOW64\Gojiiafp.exe
  C:\Windows\system32\Gojiiafp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:3080
- - C:\Windows\SysWOW64\Hfaajnfb.exe
    C:\Windows\system32\Hfaajnfb.exe
    3⤵
    - Executes dropped EXE
    PID:4932

C:\Windows\SysWOW64\Hmkigh32.exe
C:\Windows\system32\Hmkigh32.exe
1⤵
- Executes dropped EXE
PID:2076
- C:\Windows\SysWOW64\Holfoqcm.exe
  C:\Windows\system32\Holfoqcm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1404
- - C:\Windows\SysWOW64\Hefnkkkj.exe
    C:\Windows\system32\Hefnkkkj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1680
  - - C:\Windows\SysWOW64\Hlpfhe32.exe
      C:\Windows\system32\Hlpfhe32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1880
    - - C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
      - C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        6⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        11⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        15⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        17⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        20⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        22⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        24⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        25⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        26⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        28⤵
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        29⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        30⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        31⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        32⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        33⤵
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        35⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        36⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        39⤵
        Modifies registry class
        
        PID:488
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        40⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:368
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        42⤵
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        43⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        44⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        45⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        47⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        48⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        49⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        51⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        54⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        56⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        58⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        61⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        62⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        63⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        64⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        65⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        66⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        69⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        70⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        73⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        74⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        75⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        76⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        78⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        79⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        81⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        83⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        84⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        85⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        88⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        89⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        90⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        92⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        93⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        96⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        97⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        98⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        99⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        100⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        101⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        102⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        103⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        104⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        105⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        106⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        107⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        114⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        115⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        116⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        117⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        118⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        119⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        120⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        121⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        123⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        124⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        125⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        126⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        127⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        128⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        129⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        131⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        133⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        135⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        138⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        139⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        140⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        141⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        142⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        143⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        146⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        147⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        148⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        152⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        153⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        154⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        155⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        156⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        157⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        158⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        159⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        160⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        163⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        164⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7564
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        166⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        167⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        168⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        170⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        171⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        173⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        174⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        175⤵
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        176⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        177⤵
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        178⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        179⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        180⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        181⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        182⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        183⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        184⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        185⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        186⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        187⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        188⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        189⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        190⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        191⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        192⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        193⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        194⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        195⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        196⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        197⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        198⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        199⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        200⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        201⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        202⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        203⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        204⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        205⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        206⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        207⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        208⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        209⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        210⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        211⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        212⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        213⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        214⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        215⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        216⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        217⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        218⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        219⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        220⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        221⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        222⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        223⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        224⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        225⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        226⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        227⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        228⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        229⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        230⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        231⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        232⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        233⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        234⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        235⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        236⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        237⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        238⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        239⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        240⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        241⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        242⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        243⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        244⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        245⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        246⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        247⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        248⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        249⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        250⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        251⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        252⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        253⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        254⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        255⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        256⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        257⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        258⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        259⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        260⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        261⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        262⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        263⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        264⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        265⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        266⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        267⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        268⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        269⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        270⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        271⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        272⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        273⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        274⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        275⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        276⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        277⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        278⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        279⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        280⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        281⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        282⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        283⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        284⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        285⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        286⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        287⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        288⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        289⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        290⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        291⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        292⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        293⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        294⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        295⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        296⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        297⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        298⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        299⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        300⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        301⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        302⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        303⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        304⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        305⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        306⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        307⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        308⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        309⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        310⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        311⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        312⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        313⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        314⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        315⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        316⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        317⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        318⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        319⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        320⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        321⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        322⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        323⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        324⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        325⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        326⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        327⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        328⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        329⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        330⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        331⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        332⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        333⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        334⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        335⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        336⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        337⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        338⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        339⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        340⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        341⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        342⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        343⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        344⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        345⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        346⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        347⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        348⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        349⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        350⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        351⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        352⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        353⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        354⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        355⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Aphegjhc.exe
        
        C:\Windows\system32\Aphegjhc.exe
        156⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Ekcemmgo.exe
        
        C:\Windows\system32\Ekcemmgo.exe
        157⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Hommhi32.exe
        
        C:\Windows\system32\Hommhi32.exe
        108⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Kaihonhl.exe
        
        C:\Windows\system32\Kaihonhl.exe
        41⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        42⤵
        
        PID:332

C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWOW64\Fbjena32.exe
C:\Windows\system32\Fbjena32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776

C:\Windows\SysWOW64\Fpimlfke.exe
C:\Windows\system32\Fpimlfke.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3380

C:\Windows\SysWOW64\Fimhjl32.exe
C:\Windows\system32\Fimhjl32.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\Fngcmcfe.exe
C:\Windows\system32\Fngcmcfe.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\Fmfgek32.exe
C:\Windows\system32\Fmfgek32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\SysWOW64\Flfkkhid.exe
C:\Windows\system32\Flfkkhid.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\SysWOW64\Fihnomjp.exe
C:\Windows\system32\Fihnomjp.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\Pnhjig32.exe
  C:\Windows\system32\Pnhjig32.exe
  2⤵
  PID:5884

C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\Leoejh32.exe
C:\Windows\system32\Leoejh32.exe
1⤵
PID:10768
- C:\Windows\SysWOW64\Lhmafcnf.exe
  C:\Windows\system32\Lhmafcnf.exe
  2⤵
  PID:10804
- - C:\Windows\SysWOW64\Leabphmp.exe
    C:\Windows\system32\Leabphmp.exe
    3⤵
    PID:10840
  - - C:\Windows\SysWOW64\Lojfin32.exe
      C:\Windows\system32\Lojfin32.exe
      4⤵
      PID:10884
    - - C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        5⤵
        
        PID:10928
      - C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        6⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        7⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        8⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        9⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        10⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        11⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        12⤵
        
        PID:11216

C:\Windows\SysWOW64\Maaekg32.exe
C:\Windows\system32\Maaekg32.exe
1⤵
PID:11256
- C:\Windows\SysWOW64\Mhknhabf.exe
  C:\Windows\system32\Mhknhabf.exe
  2⤵
  PID:10276
- - C:\Windows\SysWOW64\Moefdljc.exe
    C:\Windows\system32\Moefdljc.exe
    3⤵
    PID:10328
  - - C:\Windows\SysWOW64\Mepnaf32.exe
      C:\Windows\system32\Mepnaf32.exe
      4⤵
      PID:10400
    - - C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        5⤵
        
        PID:10472
      - C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        6⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        7⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        8⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        9⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        10⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        11⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        12⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        13⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        14⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        15⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        16⤵
        
        PID:11208

C:\Windows\SysWOW64\Nlefjnno.exe
C:\Windows\system32\Nlefjnno.exe
1⤵
PID:9820
- C:\Windows\SysWOW64\Nocbfjmc.exe
  C:\Windows\system32\Nocbfjmc.exe
  2⤵
  PID:10368
- - C:\Windows\SysWOW64\Nfnjbdep.exe
    C:\Windows\system32\Nfnjbdep.exe
    3⤵
    PID:10492
  - - C:\Windows\SysWOW64\Nhlfoodc.exe
      C:\Windows\system32\Nhlfoodc.exe
      4⤵
      PID:10608
    - - C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        5⤵
        
        PID:10672
      - C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        6⤵
        
        PID:10792

C:\Windows\SysWOW64\Oljoen32.exe
C:\Windows\system32\Oljoen32.exe
1⤵
PID:10960
- C:\Windows\SysWOW64\Ocdgahag.exe
  C:\Windows\system32\Ocdgahag.exe
  2⤵
  PID:11076
- - C:\Windows\SysWOW64\Odedipge.exe
    C:\Windows\system32\Odedipge.exe
    3⤵
    PID:11160
  - - C:\Windows\SysWOW64\Ookhfigk.exe
      C:\Windows\system32\Ookhfigk.exe
      4⤵
      PID:11252
    - - C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        5⤵
        
        PID:10448
      - C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        6⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        7⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        8⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        9⤵
        
        PID:11224

C:\Windows\SysWOW64\Oooaah32.exe
C:\Windows\system32\Oooaah32.exe
1⤵
PID:10524
- C:\Windows\SysWOW64\Obnnnc32.exe
  C:\Windows\system32\Obnnnc32.exe
  2⤵
  PID:10788
- - C:\Windows\SysWOW64\Ohhfknjf.exe
    C:\Windows\system32\Ohhfknjf.exe
    3⤵
    PID:11120
  - - C:\Windows\SysWOW64\Okfbgiij.exe
      C:\Windows\system32\Okfbgiij.exe
      4⤵
      PID:10724

C:\Windows\SysWOW64\Ocmjhfjl.exe
C:\Windows\system32\Ocmjhfjl.exe
1⤵
PID:11244
- C:\Windows\SysWOW64\Pdngpo32.exe
  C:\Windows\system32\Pdngpo32.exe
  2⤵
  PID:11200
- - C:\Windows\SysWOW64\Pkholi32.exe
    C:\Windows\system32\Pkholi32.exe
    3⤵
    PID:11300
  - - C:\Windows\SysWOW64\Pbbgicnd.exe
      C:\Windows\system32\Pbbgicnd.exe
      4⤵
      PID:11336
    - - C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        5⤵
        
        PID:11372

C:\Windows\SysWOW64\Pkklbh32.exe
C:\Windows\system32\Pkklbh32.exe
1⤵
PID:11412
- C:\Windows\SysWOW64\Pbddobla.exe
  C:\Windows\system32\Pbddobla.exe
  2⤵
  PID:11448
- - C:\Windows\SysWOW64\Pecpknke.exe
    C:\Windows\system32\Pecpknke.exe
    3⤵
    PID:11484

C:\Windows\SysWOW64\Pkmhgh32.exe
C:\Windows\system32\Pkmhgh32.exe
1⤵
PID:11532
- C:\Windows\SysWOW64\Pcdqhecd.exe
  C:\Windows\system32\Pcdqhecd.exe
  2⤵
  PID:11568

C:\Windows\SysWOW64\Peempn32.exe
C:\Windows\system32\Peempn32.exe
1⤵
PID:11616
- C:\Windows\SysWOW64\Pokanf32.exe
  C:\Windows\system32\Pokanf32.exe
  2⤵
  PID:11668
- - C:\Windows\SysWOW64\Pfeijqqe.exe
    C:\Windows\system32\Pfeijqqe.exe
    3⤵
    PID:11708

C:\Windows\SysWOW64\Piceflpi.exe
C:\Windows\system32\Piceflpi.exe
1⤵
PID:11740
- C:\Windows\SysWOW64\Pomncfge.exe
  C:\Windows\system32\Pomncfge.exe
  2⤵
  PID:11788
- - C:\Windows\SysWOW64\Pbljoafi.exe
    C:\Windows\system32\Pbljoafi.exe
    3⤵
    PID:11824
  - - C:\Windows\SysWOW64\Qifbll32.exe
      C:\Windows\system32\Qifbll32.exe
      4⤵
      PID:11876
    - - C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        5⤵
        
        PID:11916
      - C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        6⤵
        
        PID:11952

C:\Windows\SysWOW64\Qihoak32.exe
C:\Windows\system32\Qihoak32.exe
1⤵
PID:11992
- C:\Windows\SysWOW64\Qpbgnecp.exe
  C:\Windows\system32\Qpbgnecp.exe
  2⤵
  PID:12032
- - C:\Windows\SysWOW64\Abpcja32.exe
    C:\Windows\system32\Abpcja32.exe
    3⤵
    PID:12072
  - - C:\Windows\SysWOW64\Amfhgj32.exe
      C:\Windows\system32\Amfhgj32.exe
      4⤵
      PID:12108
    - - C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        5⤵
        
        PID:12144
      - C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        6⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        7⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        8⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        9⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        10⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        11⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        12⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        13⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        14⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        15⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        16⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        17⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        18⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        19⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        20⤵
        
        PID:12040

C:\Windows\SysWOW64\Bihhhi32.exe
C:\Windows\system32\Bihhhi32.exe
1⤵
PID:12116
- C:\Windows\SysWOW64\Bpbpecen.exe
  C:\Windows\system32\Bpbpecen.exe
  2⤵
  PID:12188
- - C:\Windows\SysWOW64\Beoimjce.exe
    C:\Windows\system32\Beoimjce.exe
    3⤵
    PID:12252
  - - C:\Windows\SysWOW64\Bliajd32.exe
      C:\Windows\system32\Bliajd32.exe
      4⤵
      PID:11124

C:\Windows\SysWOW64\Bcpika32.exe
C:\Windows\system32\Bcpika32.exe
1⤵
PID:11404
- C:\Windows\SysWOW64\Beaecjab.exe
  C:\Windows\system32\Beaecjab.exe
  2⤵
  PID:11496
- - C:\Windows\SysWOW64\Bbefln32.exe
    C:\Windows\system32\Bbefln32.exe
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\Bmkjig32.exe
      C:\Windows\system32\Bmkjig32.exe
      4⤵
      PID:11812
    - - C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        5⤵
        
        PID:11912
      - C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        6⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        7⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        8⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        9⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        10⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        11⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        12⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        13⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        14⤵
        
        PID:12268

C:\Windows\SysWOW64\Dfonnk32.exe
C:\Windows\system32\Dfonnk32.exe
1⤵
PID:11516
- C:\Windows\SysWOW64\Dinjjf32.exe
  C:\Windows\system32\Dinjjf32.exe
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\Dbfoclai.exe
    C:\Windows\system32\Dbfoclai.exe
    3⤵
    PID:4656

C:\Windows\SysWOW64\Dipgpf32.exe
C:\Windows\system32\Dipgpf32.exe
1⤵
PID:11944
- C:\Windows\SysWOW64\Dpjompqc.exe
  C:\Windows\system32\Dpjompqc.exe
  2⤵
  PID:12136

C:\Windows\SysWOW64\Dmnpfd32.exe
C:\Windows\system32\Dmnpfd32.exe
1⤵
PID:11576
- C:\Windows\SysWOW64\Dpllbp32.exe
  C:\Windows\system32\Dpllbp32.exe
  2⤵
  PID:11736
- - C:\Windows\SysWOW64\Dgfdojfm.exe
    C:\Windows\system32\Dgfdojfm.exe
    3⤵
    PID:12092

C:\Windows\SysWOW64\Dmplkd32.exe
C:\Windows\system32\Dmplkd32.exe
1⤵
PID:11468
- C:\Windows\SysWOW64\Ddjehneg.exe
  C:\Windows\system32\Ddjehneg.exe
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\Dekapfke.exe
    C:\Windows\system32\Dekapfke.exe
    3⤵
    PID:12176
  - - C:\Windows\SysWOW64\Ecoaijio.exe
      C:\Windows\system32\Ecoaijio.exe
      4⤵
      PID:1332
    - - C:\Windows\SysWOW64\Egmjpi32.exe
        
        C:\Windows\system32\Egmjpi32.exe
        5⤵
        
        PID:4536
      - C:\Windows\SysWOW64\Emgblc32.exe
        
        C:\Windows\system32\Emgblc32.exe
        6⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Epeohn32.exe
        
        C:\Windows\system32\Epeohn32.exe
        7⤵
        
        PID:3984

C:\Windows\SysWOW64\Gggfme32.exe
C:\Windows\system32\Gggfme32.exe
1⤵
PID:12696
- C:\Windows\SysWOW64\Gdmcki32.exe
  C:\Windows\system32\Gdmcki32.exe
  2⤵
  PID:12768

C:\Windows\SysWOW64\Hdicggla.exe
C:\Windows\system32\Hdicggla.exe
1⤵
PID:12944
- C:\Windows\SysWOW64\Ijhhenhf.exe
  C:\Windows\system32\Ijhhenhf.exe
  2⤵
  PID:13012
- - C:\Windows\SysWOW64\Icciccmd.exe
    C:\Windows\system32\Icciccmd.exe
    3⤵
    PID:13080
  - - C:\Windows\SysWOW64\Icgbob32.exe
      C:\Windows\system32\Icgbob32.exe
      4⤵
      PID:13152
    - - C:\Windows\SysWOW64\Jjakkmpk.exe
        
        C:\Windows\system32\Jjakkmpk.exe
        5⤵
        
        PID:13192
      - C:\Windows\SysWOW64\Jgekdq32.exe
        
        C:\Windows\system32\Jgekdq32.exe
        6⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\Jnocakfb.exe
        
        C:\Windows\system32\Jnocakfb.exe
        7⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\Jclljaei.exe
        
        C:\Windows\system32\Jclljaei.exe
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Jmdqbg32.exe
        
        C:\Windows\system32\Jmdqbg32.exe
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Jfmekm32.exe
        
        C:\Windows\system32\Jfmekm32.exe
        10⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Jmgmhgig.exe
        
        C:\Windows\system32\Jmgmhgig.exe
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Jjknakhq.exe
        
        C:\Windows\system32\Jjknakhq.exe
        12⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\Jaefne32.exe
        
        C:\Windows\system32\Jaefne32.exe
        13⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Khonkogj.exe
        
        C:\Windows\system32\Khonkogj.exe
        14⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        15⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\Kebodc32.exe
        
        C:\Windows\system32\Kebodc32.exe
        16⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\Kfdklllb.exe
        
        C:\Windows\system32\Kfdklllb.exe
        17⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\Knkcmild.exe
        
        C:\Windows\system32\Knkcmild.exe
        18⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Keekjc32.exe
        
        C:\Windows\system32\Keekjc32.exe
        19⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\Kffhakjp.exe
        
        C:\Windows\system32\Kffhakjp.exe
        20⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\Kmppneal.exe
        
        C:\Windows\system32\Kmppneal.exe
        21⤵
        
        PID:348
        
        C:\Windows\SysWOW64\Kdjhkp32.exe
        
        C:\Windows\system32\Kdjhkp32.exe
        22⤵
        
        PID:12684
        
        C:\Windows\SysWOW64\Kjdqhjpf.exe
        
        C:\Windows\system32\Kjdqhjpf.exe
        23⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Kanidd32.exe
        
        C:\Windows\system32\Kanidd32.exe
        24⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\Kjfmminc.exe
        
        C:\Windows\system32\Kjfmminc.exe
        25⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Lhjnfn32.exe
        
        C:\Windows\system32\Lhjnfn32.exe
        26⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        27⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\Lfddci32.exe
        
        C:\Windows\system32\Lfddci32.exe
        28⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Lajhpbme.exe
        
        C:\Windows\system32\Lajhpbme.exe
        29⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Lfgahikm.exe
        
        C:\Windows\system32\Lfgahikm.exe
        30⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\Mdkabmjf.exe
        
        C:\Windows\system32\Mdkabmjf.exe
        31⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Mejnlpai.exe
        
        C:\Windows\system32\Mejnlpai.exe
        32⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\Mmebpbod.exe
        
        C:\Windows\system32\Mmebpbod.exe
        33⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Moeoje32.exe
        
        C:\Windows\system32\Moeoje32.exe
        34⤵
        
        PID:260
        
        C:\Windows\SysWOW64\Mklpof32.exe
        
        C:\Windows\system32\Mklpof32.exe
        35⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Mhppik32.exe
        
        C:\Windows\system32\Mhppik32.exe
        36⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Nahdapae.exe
        
        C:\Windows\system32\Nahdapae.exe
        37⤵
        
        PID:12432
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        38⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Nefmgogl.exe
        
        C:\Windows\system32\Nefmgogl.exe
        39⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\Nonbqd32.exe
        
        C:\Windows\system32\Nonbqd32.exe
        40⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Naokbokn.exe
        
        C:\Windows\system32\Naokbokn.exe
        41⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Nglcjfie.exe
        
        C:\Windows\system32\Nglcjfie.exe
        42⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        43⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Ogqmee32.exe
        
        C:\Windows\system32\Ogqmee32.exe
        44⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\Onjebpml.exe
        
        C:\Windows\system32\Onjebpml.exe
        45⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\Oggbfdog.exe
        
        C:\Windows\system32\Oggbfdog.exe
        46⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\Phlikg32.exe
        
        C:\Windows\system32\Phlikg32.exe
        47⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\Qbmpjkqk.exe
        
        C:\Windows\system32\Qbmpjkqk.exe
        48⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        49⤵
        
        PID:13068
        
        C:\Windows\SysWOW64\Afpbkicl.exe
        
        C:\Windows\system32\Afpbkicl.exe
        50⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\Agckiqgg.exe
        
        C:\Windows\system32\Agckiqgg.exe
        51⤵
        
        PID:3988

C:\Windows\SysWOW64\Hfamia32.exe
C:\Windows\system32\Hfamia32.exe
1⤵
PID:12832

C:\Windows\SysWOW64\Gdfmkjlg.exe
C:\Windows\system32\Gdfmkjlg.exe
1⤵
PID:12640

C:\Windows\SysWOW64\Bgfhnpde.exe
C:\Windows\system32\Bgfhnpde.exe
1⤵
PID:3560
- C:\Windows\SysWOW64\Bpaikm32.exe
  C:\Windows\system32\Bpaikm32.exe
  2⤵
  PID:1904

C:\Windows\SysWOW64\Cnbfgh32.exe
C:\Windows\system32\Cnbfgh32.exe
1⤵
PID:2872
- C:\Windows\SysWOW64\Dlkplk32.exe
  C:\Windows\system32\Dlkplk32.exe
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\Eihcln32.exe
    C:\Windows\system32\Eihcln32.exe
    3⤵
    PID:4028

C:\Windows\SysWOW64\Cnlpgibd.exe
C:\Windows\system32\Cnlpgibd.exe
1⤵
PID:2328

C:\Windows\SysWOW64\Gcfjfqah.exe
C:\Windows\system32\Gcfjfqah.exe
1⤵
PID:12960
- C:\Windows\SysWOW64\Gcmpgpkp.exe
  C:\Windows\system32\Gcmpgpkp.exe
  2⤵
  PID:2272

C:\Windows\SysWOW64\Hlhaee32.exe
C:\Windows\system32\Hlhaee32.exe
1⤵
PID:632
- C:\Windows\SysWOW64\Icklhnop.exe
  C:\Windows\system32\Icklhnop.exe
  2⤵
  PID:5212
- - C:\Windows\SysWOW64\Ijlkfg32.exe
    C:\Windows\system32\Ijlkfg32.exe
    3⤵
    PID:1912

C:\Windows\SysWOW64\Jqofippg.exe
C:\Windows\system32\Jqofippg.exe
1⤵
PID:3448

C:\Windows\SysWOW64\Lmneemaq.exe
C:\Windows\system32\Lmneemaq.exe
1⤵
PID:11700
- C:\Windows\SysWOW64\Mjafoapj.exe
  C:\Windows\system32\Mjafoapj.exe
  2⤵
  PID:12312

C:\Windows\SysWOW64\Mapgfk32.exe
C:\Windows\system32\Mapgfk32.exe
1⤵
PID:11608
- C:\Windows\SysWOW64\Mmghklif.exe
  C:\Windows\system32\Mmghklif.exe
  2⤵
  PID:5024
- - C:\Windows\SysWOW64\Mhmmieil.exe
    C:\Windows\system32\Mhmmieil.exe
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\Minipm32.exe
      C:\Windows\system32\Minipm32.exe
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        5⤵
        
        PID:12472
      - C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        6⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ndejcemn.exe
        
        C:\Windows\system32\Ndejcemn.exe
        7⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        8⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        9⤵
        
        PID:932

C:\Windows\SysWOW64\Ckcbaf32.exe
C:\Windows\system32\Ckcbaf32.exe
1⤵
PID:7024
- C:\Windows\SysWOW64\Eblgon32.exe
  C:\Windows\system32\Eblgon32.exe
  2⤵
  PID:6224

C:\Windows\SysWOW64\Eeomfioh.exe
C:\Windows\system32\Eeomfioh.exe
1⤵
PID:6332
- C:\Windows\SysWOW64\Gahcgg32.exe
  C:\Windows\system32\Gahcgg32.exe
  2⤵
  PID:6648

C:\Windows\SysWOW64\Pignccea.exe
C:\Windows\system32\Pignccea.exe
1⤵
PID:5144
- C:\Windows\SysWOW64\Pgphggpe.exe
  C:\Windows\system32\Pgphggpe.exe
  2⤵
  PID:6508

C:\Windows\SysWOW64\Ojmgggdo.exe
C:\Windows\system32\Ojmgggdo.exe
1⤵
PID:5788

C:\Windows\SysWOW64\Opcjno32.exe
C:\Windows\system32\Opcjno32.exe
1⤵
PID:7620

C:\Windows\SysWOW64\Llmbqdfb.exe
C:\Windows\system32\Llmbqdfb.exe
1⤵
PID:232

C:\Windows\SysWOW64\Lcndab32.exe
C:\Windows\system32\Lcndab32.exe
1⤵
PID:13144

C:\Windows\SysWOW64\Jflgfpkc.exe
C:\Windows\system32\Jflgfpkc.exe
1⤵
PID:6860

C:\Windows\SysWOW64\Jjbjlpga.exe
C:\Windows\system32\Jjbjlpga.exe
1⤵
PID:7164

C:\Windows\SysWOW64\Ikejbjip.exe
C:\Windows\system32\Ikejbjip.exe
1⤵
PID:3848

C:\Windows\SysWOW64\Hmcfma32.exe
C:\Windows\system32\Hmcfma32.exe
1⤵
PID:7044
- C:\Windows\SysWOW64\Haeino32.exe
  C:\Windows\system32\Haeino32.exe
  2⤵
  PID:7304
- - C:\Windows\SysWOW64\Hknmgd32.exe
    C:\Windows\system32\Hknmgd32.exe
    3⤵
    PID:8156
  - - C:\Windows\SysWOW64\Iajbinaf.exe
      C:\Windows\system32\Iajbinaf.exe
      4⤵
      PID:4612
    - - C:\Windows\SysWOW64\Ilpfgg32.exe
        
        C:\Windows\system32\Ilpfgg32.exe
        5⤵
        
        PID:7632
      - C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        6⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Idkkki32.exe
        
        C:\Windows\system32\Idkkki32.exe
        7⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Ikechced.exe
        
        C:\Windows\system32\Ikechced.exe
        8⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\Iejgelej.exe
        
        C:\Windows\system32\Iejgelej.exe
        9⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Ikgpmc32.exe
        
        C:\Windows\system32\Ikgpmc32.exe
        10⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Idpdfija.exe
        
        C:\Windows\system32\Idpdfija.exe
        11⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ieoapl32.exe
        
        C:\Windows\system32\Ieoapl32.exe
        12⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Jklihbol.exe
        
        C:\Windows\system32\Jklihbol.exe
        13⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Jeanfkob.exe
        
        C:\Windows\system32\Jeanfkob.exe
        14⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Jknfnbmi.exe
        
        C:\Windows\system32\Jknfnbmi.exe
        15⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Jnmbjnlm.exe
        
        C:\Windows\system32\Jnmbjnlm.exe
        16⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        17⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Jefgak32.exe
        
        C:\Windows\system32\Jefgak32.exe
        18⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Jhdcmf32.exe
        
        C:\Windows\system32\Jhdcmf32.exe
        19⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Jnalem32.exe
        
        C:\Windows\system32\Jnalem32.exe
        20⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Jehcfj32.exe
        
        C:\Windows\system32\Jehcfj32.exe
        21⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Kleiid32.exe
        
        C:\Windows\system32\Kleiid32.exe
        22⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Kfmmajed.exe
        
        C:\Windows\system32\Kfmmajed.exe
        23⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Khnfce32.exe
        
        C:\Windows\system32\Khnfce32.exe
        24⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kfbfmi32.exe
        
        C:\Windows\system32\Kfbfmi32.exe
        25⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Knmkak32.exe
        
        C:\Windows\system32\Knmkak32.exe
        26⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\Kkaljpmd.exe
        
        C:\Windows\system32\Kkaljpmd.exe
        27⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Loodqn32.exe
        
        C:\Windows\system32\Loodqn32.exe
        28⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Mbiphhhq.exe
        
        C:\Windows\system32\Mbiphhhq.exe
        29⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Mkadam32.exe
        
        C:\Windows\system32\Mkadam32.exe
        30⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Mieeka32.exe
        
        C:\Windows\system32\Mieeka32.exe
        31⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mmcnap32.exe
        
        C:\Windows\system32\Mmcnap32.exe
        32⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Mijofaje.exe
        
        C:\Windows\system32\Mijofaje.exe
        33⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Nfpled32.exe
        
        C:\Windows\system32\Nfpled32.exe
        34⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nmjdaoni.exe
        
        C:\Windows\system32\Nmjdaoni.exe
        35⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Nnlqig32.exe
        
        C:\Windows\system32\Nnlqig32.exe
        36⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Neeifa32.exe
        
        C:\Windows\system32\Neeifa32.exe
        37⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Nlpabkba.exe
        
        C:\Windows\system32\Nlpabkba.exe
        38⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Nblfee32.exe
        
        C:\Windows\system32\Nblfee32.exe
        39⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Obqopddf.exe
        
        C:\Windows\system32\Obqopddf.exe
        40⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Olidijjf.exe
        
        C:\Windows\system32\Olidijjf.exe
        41⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Obcled32.exe
        
        C:\Windows\system32\Obcled32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        43⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Oecego32.exe
        
        C:\Windows\system32\Oecego32.exe
        44⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Oefamoma.exe
        
        C:\Windows\system32\Oefamoma.exe
        45⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Opkfjgmh.exe
        
        C:\Windows\system32\Opkfjgmh.exe
        46⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Pehnboko.exe
        
        C:\Windows\system32\Pehnboko.exe
        47⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Pblolb32.exe
        
        C:\Windows\system32\Pblolb32.exe
        48⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Pekkhn32.exe
        
        C:\Windows\system32\Pekkhn32.exe
        49⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Pldcdhpi.exe
        
        C:\Windows\system32\Pldcdhpi.exe
        50⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Pfjgbapo.exe
        
        C:\Windows\system32\Pfjgbapo.exe
        51⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Pihdnloc.exe
        
        C:\Windows\system32\Pihdnloc.exe
        52⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Pfmdgq32.exe
        
        C:\Windows\system32\Pfmdgq32.exe
        53⤵
        
        PID:9760

C:\Windows\SysWOW64\Bgeadjai.exe
C:\Windows\system32\Bgeadjai.exe
1⤵
PID:6580

C:\Windows\SysWOW64\Akgjnj32.exe
C:\Windows\system32\Akgjnj32.exe
1⤵
PID:5224

C:\Windows\SysWOW64\Ahgamo32.exe
C:\Windows\system32\Ahgamo32.exe
1⤵
PID:6328

C:\Windows\SysWOW64\Pkgaglpp.exe
C:\Windows\system32\Pkgaglpp.exe
1⤵
PID:1304

C:\Windows\SysWOW64\Agmmnnpj.exe
C:\Windows\system32\Agmmnnpj.exe
1⤵
PID:9520
- C:\Windows\SysWOW64\Amgekh32.exe
  C:\Windows\system32\Amgekh32.exe
  2⤵
  PID:9772
- - C:\Windows\SysWOW64\Aohbbqme.exe
    C:\Windows\system32\Aohbbqme.exe
    3⤵
    PID:10032
  - - C:\Windows\SysWOW64\Amibqhed.exe
      C:\Windows\system32\Amibqhed.exe
      4⤵
      PID:6964
    - - C:\Windows\SysWOW64\Bpgnmcdh.exe
        
        C:\Windows\system32\Bpgnmcdh.exe
        5⤵
        
        PID:9928
      - C:\Windows\SysWOW64\Bgafin32.exe
        
        C:\Windows\system32\Bgafin32.exe
        6⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Bmlofhca.exe
        
        C:\Windows\system32\Bmlofhca.exe
        7⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Bekmei32.exe
        
        C:\Windows\system32\Bekmei32.exe
        8⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Bpaacblm.exe
        
        C:\Windows\system32\Bpaacblm.exe
        9⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\Bjielh32.exe
        
        C:\Windows\system32\Bjielh32.exe
        10⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Clhbhc32.exe
        
        C:\Windows\system32\Clhbhc32.exe
        11⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Ccajdmin.exe
        
        C:\Windows\system32\Ccajdmin.exe
        12⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Cngnbfid.exe
        
        C:\Windows\system32\Cngnbfid.exe
        13⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Cgpcklpd.exe
        
        C:\Windows\system32\Cgpcklpd.exe
        14⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Cnjkgf32.exe
        
        C:\Windows\system32\Cnjkgf32.exe
        15⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Cokgonmp.exe
        
        C:\Windows\system32\Cokgonmp.exe
        16⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Cfeplh32.exe
        
        C:\Windows\system32\Cfeplh32.exe
        17⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Clohhbli.exe
        
        C:\Windows\system32\Clohhbli.exe
        18⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Cfglahbj.exe
        
        C:\Windows\system32\Cfglahbj.exe
        19⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Cckmklac.exe
        
        C:\Windows\system32\Cckmklac.exe
        20⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        21⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Dobnpm32.exe
        
        C:\Windows\system32\Dobnpm32.exe
        22⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Djgbmffn.exe
        
        C:\Windows\system32\Djgbmffn.exe
        23⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\Dqajjp32.exe
        
        C:\Windows\system32\Dqajjp32.exe
        24⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dgkbfjeg.exe
        
        C:\Windows\system32\Dgkbfjeg.exe
        25⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Dofgklcb.exe
        
        C:\Windows\system32\Dofgklcb.exe
        26⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Dgnolj32.exe
        
        C:\Windows\system32\Dgnolj32.exe
        27⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Dnhgidka.exe
        
        C:\Windows\system32\Dnhgidka.exe
        28⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Dcdpakii.exe
        
        C:\Windows\system32\Dcdpakii.exe
        29⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Djnhne32.exe
        
        C:\Windows\system32\Djnhne32.exe
        30⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\Dqhpjohb.exe
        
        C:\Windows\system32\Dqhpjohb.exe
        31⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Ejaecdnc.exe
        
        C:\Windows\system32\Ejaecdnc.exe
        32⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Eqkmpo32.exe
        
        C:\Windows\system32\Eqkmpo32.exe
        33⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Egeemiml.exe
        
        C:\Windows\system32\Egeemiml.exe
        34⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Enomic32.exe
        
        C:\Windows\system32\Enomic32.exe
        35⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Eqmjen32.exe
        
        C:\Windows\system32\Eqmjen32.exe
        36⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Efjbne32.exe
        
        C:\Windows\system32\Efjbne32.exe
        37⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Eqpfknbj.exe
        
        C:\Windows\system32\Eqpfknbj.exe
        38⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\Egiohh32.exe
        
        C:\Windows\system32\Egiohh32.exe
        39⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Eqbcqnph.exe
        
        C:\Windows\system32\Eqbcqnph.exe
        40⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Ejjgic32.exe
        
        C:\Windows\system32\Ejjgic32.exe
        41⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Eqdpfm32.exe
        
        C:\Windows\system32\Eqdpfm32.exe
        42⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\Egnhcgeb.exe
        
        C:\Windows\system32\Egnhcgeb.exe
        43⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Fmkqknci.exe
        
        C:\Windows\system32\Fmkqknci.exe
        44⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Fgqehgco.exe
        
        C:\Windows\system32\Fgqehgco.exe
        45⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Fnjmea32.exe
        
        C:\Windows\system32\Fnjmea32.exe
        46⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\Fgcang32.exe
        
        C:\Windows\system32\Fgcang32.exe
        47⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\Fnmjkahi.exe
        
        C:\Windows\system32\Fnmjkahi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Fcibchgq.exe
        
        C:\Windows\system32\Fcibchgq.exe
        49⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Fjcjpb32.exe
        
        C:\Windows\system32\Fjcjpb32.exe
        50⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\Fppchile.exe
        
        C:\Windows\system32\Fppchile.exe
        51⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\Fjfgealk.exe
        
        C:\Windows\system32\Fjfgealk.exe
        52⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Fapobl32.exe
        
        C:\Windows\system32\Fapobl32.exe
        53⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\Gfmhjb32.exe
        
        C:\Windows\system32\Gfmhjb32.exe
        54⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Gmfpgmil.exe
        
        C:\Windows\system32\Gmfpgmil.exe
        55⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Ggldde32.exe
        
        C:\Windows\system32\Ggldde32.exe
        56⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Gmimll32.exe
        
        C:\Windows\system32\Gmimll32.exe
        57⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Ggoaje32.exe
        
        C:\Windows\system32\Ggoaje32.exe
        58⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Gnhifonl.exe
        
        C:\Windows\system32\Gnhifonl.exe
        59⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Gpjfng32.exe
        
        C:\Windows\system32\Gpjfng32.exe
        60⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\Gnkflo32.exe
        
        C:\Windows\system32\Gnkflo32.exe
        61⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\Gplbcgbg.exe
        
        C:\Windows\system32\Gplbcgbg.exe
        62⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Gffkpa32.exe
        
        C:\Windows\system32\Gffkpa32.exe
        63⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Gmpcmkaa.exe
        
        C:\Windows\system32\Gmpcmkaa.exe
        64⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Hpqlof32.exe
        
        C:\Windows\system32\Hpqlof32.exe
        65⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Hfkdkqeo.exe
        
        C:\Windows\system32\Hfkdkqeo.exe
        66⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Haphiiee.exe
        
        C:\Windows\system32\Haphiiee.exe
        67⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Hhjqec32.exe
        
        C:\Windows\system32\Hhjqec32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Hndibn32.exe
        
        C:\Windows\system32\Hndibn32.exe
        69⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\Hpeejfjm.exe
        
        C:\Windows\system32\Hpeejfjm.exe
        70⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Hfonfp32.exe
        
        C:\Windows\system32\Hfonfp32.exe
        71⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Hmifcjif.exe
        
        C:\Windows\system32\Hmifcjif.exe
        72⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Hdcnpd32.exe
        
        C:\Windows\system32\Hdcnpd32.exe
        73⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\Hjmfmnhp.exe
        
        C:\Windows\system32\Hjmfmnhp.exe
        74⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Hagnihom.exe
        
        C:\Windows\system32\Hagnihom.exe
        75⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        76⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Ijpcbn32.exe
        
        C:\Windows\system32\Ijpcbn32.exe
        77⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\Idhgkcln.exe
        
        C:\Windows\system32\Idhgkcln.exe
        78⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\Ikbphn32.exe
        
        C:\Windows\system32\Ikbphn32.exe
        79⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Ialhdh32.exe
        
        C:\Windows\system32\Ialhdh32.exe
        80⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ihfpabbd.exe
        
        C:\Windows\system32\Ihfpabbd.exe
        81⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Iophnl32.exe
        
        C:\Windows\system32\Iophnl32.exe
        82⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ipaeedpp.exe
        
        C:\Windows\system32\Ipaeedpp.exe
        83⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\Igkmbn32.exe
        
        C:\Windows\system32\Igkmbn32.exe
        84⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Iobecl32.exe
        
        C:\Windows\system32\Iobecl32.exe
        85⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\Ipcakd32.exe
        
        C:\Windows\system32\Ipcakd32.exe
        86⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Jacnegep.exe
        
        C:\Windows\system32\Jacnegep.exe
        87⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Jkkbnl32.exe
        
        C:\Windows\system32\Jkkbnl32.exe
        88⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Jmjojh32.exe
        
        C:\Windows\system32\Jmjojh32.exe
        89⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\Jddggb32.exe
        
        C:\Windows\system32\Jddggb32.exe
        90⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\Jgbccm32.exe
        
        C:\Windows\system32\Jgbccm32.exe
        91⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jmlkpgia.exe
        
        C:\Windows\system32\Jmlkpgia.exe
        92⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Jdfcla32.exe
        
        C:\Windows\system32\Jdfcla32.exe
        93⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\Jkplilgk.exe
        
        C:\Windows\system32\Jkplilgk.exe
        94⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\Jkbhok32.exe
        
        C:\Windows\system32\Jkbhok32.exe
        95⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\Jalakeme.exe
        
        C:\Windows\system32\Jalakeme.exe
        96⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jdkmgali.exe
        
        C:\Windows\system32\Jdkmgali.exe
        97⤵
        
        PID:112
        
        C:\Windows\SysWOW64\Jkeedk32.exe
        
        C:\Windows\system32\Jkeedk32.exe
        98⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Kaonaekb.exe
        
        C:\Windows\system32\Kaonaekb.exe
        99⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\Khifno32.exe
        
        C:\Windows\system32\Khifno32.exe
        100⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Kkgbjkac.exe
        
        C:\Windows\system32\Kkgbjkac.exe
        101⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Kpdjbapj.exe
        
        C:\Windows\system32\Kpdjbapj.exe
        102⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Kgnbol32.exe
        
        C:\Windows\system32\Kgnbol32.exe
        103⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        104⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        105⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\Khmoionj.exe
        
        C:\Windows\system32\Khmoionj.exe
        106⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Koggehff.exe
        
        C:\Windows\system32\Koggehff.exe
        107⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Kddpnpdn.exe
        
        C:\Windows\system32\Kddpnpdn.exe
        108⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Kknhjj32.exe
        
        C:\Windows\system32\Kknhjj32.exe
        109⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Kahpgcch.exe
        
        C:\Windows\system32\Kahpgcch.exe
        110⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\Kdfmcobk.exe
        
        C:\Windows\system32\Kdfmcobk.exe
        111⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kkqepi32.exe
        
        C:\Windows\system32\Kkqepi32.exe
        112⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        113⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Lggeej32.exe
        
        C:\Windows\system32\Lggeej32.exe
        114⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Lnanadfi.exe
        
        C:\Windows\system32\Lnanadfi.exe
        115⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Lhgbomfo.exe
        
        C:\Windows\system32\Lhgbomfo.exe
        116⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Laofhbmp.exe
        
        C:\Windows\system32\Laofhbmp.exe
        117⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Lglopjkg.exe
        
        C:\Windows\system32\Lglopjkg.exe
        118⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Lnfgmc32.exe
        
        C:\Windows\system32\Lnfgmc32.exe
        119⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\Lqdcio32.exe
        
        C:\Windows\system32\Lqdcio32.exe
        120⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Loecgfjf.exe
        
        C:\Windows\system32\Loecgfjf.exe
        121⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Lhnhplpg.exe
        
        C:\Windows\system32\Lhnhplpg.exe
        122⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\Mbfmha32.exe
        
        C:\Windows\system32\Mbfmha32.exe
        123⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Mgceqh32.exe
        
        C:\Windows\system32\Mgceqh32.exe
        124⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Mojmbf32.exe
        
        C:\Windows\system32\Mojmbf32.exe
        125⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Mqkijnkp.exe
        
        C:\Windows\system32\Mqkijnkp.exe
        126⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mkangg32.exe
        
        C:\Windows\system32\Mkangg32.exe
        127⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mbkfcabb.exe
        
        C:\Windows\system32\Mbkfcabb.exe
        128⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Mdibplaf.exe
        
        C:\Windows\system32\Mdibplaf.exe
        129⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Mkcjlf32.exe
        
        C:\Windows\system32\Mkcjlf32.exe
        130⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mbmbiqqp.exe
        
        C:\Windows\system32\Mbmbiqqp.exe
        131⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Mndcnafd.exe
        
        C:\Windows\system32\Mndcnafd.exe
        132⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Mglhgg32.exe
        
        C:\Windows\system32\Mglhgg32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Nnfpcada.exe
        
        C:\Windows\system32\Nnfpcada.exe
        134⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Ndphpk32.exe
        
        C:\Windows\system32\Ndphpk32.exe
        135⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Nkjqme32.exe
        
        C:\Windows\system32\Nkjqme32.exe
        136⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\Nkmmbe32.exe
        
        C:\Windows\system32\Nkmmbe32.exe
        137⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Nbfeoohe.exe
        
        C:\Windows\system32\Nbfeoohe.exe
        138⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Nkojheoe.exe
        
        C:\Windows\system32\Nkojheoe.exe
        139⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Nbkojo32.exe
        
        C:\Windows\system32\Nbkojo32.exe
        140⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Oooodcci.exe
        
        C:\Windows\system32\Oooodcci.exe
        141⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Ogjdheqd.exe
        
        C:\Windows\system32\Ogjdheqd.exe
        142⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\Ondleo32.exe
        
        C:\Windows\system32\Ondleo32.exe
        143⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\Oendaipn.exe
        
        C:\Windows\system32\Oendaipn.exe
        144⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Okhmnc32.exe
        
        C:\Windows\system32\Okhmnc32.exe
        145⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Ongijo32.exe
        
        C:\Windows\system32\Ongijo32.exe
        146⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\Oeqagi32.exe
        
        C:\Windows\system32\Oeqagi32.exe
        147⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Okkidceh.exe
        
        C:\Windows\system32\Okkidceh.exe
        148⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Obdbqm32.exe
        
        C:\Windows\system32\Obdbqm32.exe
        149⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\Oecnmi32.exe
        
        C:\Windows\system32\Oecnmi32.exe
        150⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\Ophbja32.exe
        
        C:\Windows\system32\Ophbja32.exe
        151⤵
        
        PID:12348
        
        C:\Windows\SysWOW64\Oajoaj32.exe
        
        C:\Windows\system32\Oajoaj32.exe
        152⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Oiagcg32.exe
        
        C:\Windows\system32\Oiagcg32.exe
        153⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Ppkopail.exe
        
        C:\Windows\system32\Ppkopail.exe
        154⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Pehghhgc.exe
        
        C:\Windows\system32\Pehghhgc.exe
        155⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Plapdb32.exe
        
        C:\Windows\system32\Plapdb32.exe
        156⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Pblhalfm.exe
        
        C:\Windows\system32\Pblhalfm.exe
        157⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        158⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\Ppphkq32.exe
        
        C:\Windows\system32\Ppphkq32.exe
        159⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Pelacg32.exe
        
        C:\Windows\system32\Pelacg32.exe
        160⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Pneelmjo.exe
        
        C:\Windows\system32\Pneelmjo.exe
        161⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\Peonhg32.exe
        
        C:\Windows\system32\Peonhg32.exe
        162⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\Plifea32.exe
        
        C:\Windows\system32\Plifea32.exe
        163⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Peajngoi.exe
        
        C:\Windows\system32\Peajngoi.exe
        164⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Qahkch32.exe
        
        C:\Windows\system32\Qahkch32.exe
        165⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Qhbcpb32.exe
        
        C:\Windows\system32\Qhbcpb32.exe
        166⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Qnlkllcf.exe
        
        C:\Windows\system32\Qnlkllcf.exe
        167⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Alplfpbp.exe
        
        C:\Windows\system32\Alplfpbp.exe
        168⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Abjdbj32.exe
        
        C:\Windows\system32\Abjdbj32.exe
        169⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Aiclodaj.exe
        
        C:\Windows\system32\Aiclodaj.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Albikp32.exe
        
        C:\Windows\system32\Albikp32.exe
        171⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Ablahjhj.exe
        
        C:\Windows\system32\Ablahjhj.exe
        172⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Aified32.exe
        
        C:\Windows\system32\Aified32.exe
        173⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Aldeap32.exe
        
        C:\Windows\system32\Aldeap32.exe
        174⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Aaanif32.exe
        
        C:\Windows\system32\Aaanif32.exe
        175⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Ahkffqdo.exe
        
        C:\Windows\system32\Ahkffqdo.exe
        176⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Aoenbkll.exe
        
        C:\Windows\system32\Aoenbkll.exe
        177⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Aacjofkp.exe
        
        C:\Windows\system32\Aacjofkp.exe
        178⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Alioloje.exe
        
        C:\Windows\system32\Alioloje.exe
        179⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Bafgdfim.exe
        
        C:\Windows\system32\Bafgdfim.exe
        180⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\Blkkaohc.exe
        
        C:\Windows\system32\Blkkaohc.exe
        181⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Bbecnipp.exe
        
        C:\Windows\system32\Bbecnipp.exe
        182⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Biolkc32.exe
        
        C:\Windows\system32\Biolkc32.exe
        183⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Bpidhmoi.exe
        
        C:\Windows\system32\Bpidhmoi.exe
        184⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Bajqpe32.exe
        
        C:\Windows\system32\Bajqpe32.exe
        185⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Blpemn32.exe
        
        C:\Windows\system32\Blpemn32.exe
        186⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Bammeebe.exe
        
        C:\Windows\system32\Bammeebe.exe
        187⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Bhgeao32.exe
        
        C:\Windows\system32\Bhgeao32.exe
        188⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Boanniao.exe
        
        C:\Windows\system32\Boanniao.exe
        189⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\Bekfkc32.exe
        
        C:\Windows\system32\Bekfkc32.exe
        190⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Bppjhl32.exe
        
        C:\Windows\system32\Bppjhl32.exe
        191⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Caagpdop.exe
        
        C:\Windows\system32\Caagpdop.exe
        192⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Chlomnfl.exe
        
        C:\Windows\system32\Chlomnfl.exe
        193⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Dcmcfeke.exe
        
        C:\Windows\system32\Dcmcfeke.exe
        194⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Dhjknljl.exe
        
        C:\Windows\system32\Dhjknljl.exe
        195⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Docckfai.exe
        
        C:\Windows\system32\Docckfai.exe
        196⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Denlgq32.exe
        
        C:\Windows\system32\Denlgq32.exe
        197⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Dlgddkpc.exe
        
        C:\Windows\system32\Dlgddkpc.exe
        198⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Dhndil32.exe
        
        C:\Windows\system32\Dhndil32.exe
        199⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Dcdifdem.exe
        
        C:\Windows\system32\Dcdifdem.exe
        200⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\Dhqaokcd.exe
        
        C:\Windows\system32\Dhqaokcd.exe
        201⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Dphipidf.exe
        
        C:\Windows\system32\Dphipidf.exe
        202⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\Efdbhpbn.exe
        
        C:\Windows\system32\Efdbhpbn.exe
        203⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Epjfehbd.exe
        
        C:\Windows\system32\Epjfehbd.exe
        204⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Efgono32.exe
        
        C:\Windows\system32\Efgono32.exe
        205⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Elagjihh.exe
        
        C:\Windows\system32\Elagjihh.exe
        206⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Eckogc32.exe
        
        C:\Windows\system32\Eckogc32.exe
        207⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Efikco32.exe
        
        C:\Windows\system32\Efikco32.exe
        208⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\Ecmlmcmb.exe
        
        C:\Windows\system32\Ecmlmcmb.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Ejgdim32.exe
        
        C:\Windows\system32\Ejgdim32.exe
        210⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\Eqalfgll.exe
        
        C:\Windows\system32\Eqalfgll.exe
        211⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Ehlakjig.exe
        
        C:\Windows\system32\Ehlakjig.exe
        212⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\Fofigd32.exe
        
        C:\Windows\system32\Fofigd32.exe
        213⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Ffpadn32.exe
        
        C:\Windows\system32\Ffpadn32.exe
        214⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Fmjjqhpn.exe
        
        C:\Windows\system32\Fmjjqhpn.exe
        215⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Fbgbione.exe
        
        C:\Windows\system32\Fbgbione.exe
        216⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Fmmffhnk.exe
        
        C:\Windows\system32\Fmmffhnk.exe
        217⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Fbiooolb.exe
        
        C:\Windows\system32\Fbiooolb.exe
        218⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\Ficgkico.exe
        
        C:\Windows\system32\Ficgkico.exe
        219⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\Fcikhace.exe
        
        C:\Windows\system32\Fcikhace.exe
        220⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\Fjccel32.exe
        
        C:\Windows\system32\Fjccel32.exe
        221⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Foplnb32.exe
        
        C:\Windows\system32\Foplnb32.exe
        222⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\Ffjdjmpf.exe
        
        C:\Windows\system32\Ffjdjmpf.exe
        223⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Fihqfh32.exe
        
        C:\Windows\system32\Fihqfh32.exe
        224⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Gobicbgf.exe
        
        C:\Windows\system32\Gobicbgf.exe
        225⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Gbqeonfj.exe
        
        C:\Windows\system32\Gbqeonfj.exe
        226⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\Gijmlh32.exe
        
        C:\Windows\system32\Gijmlh32.exe
        227⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Gcpaiq32.exe
        
        C:\Windows\system32\Gcpaiq32.exe
        228⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\Gfnnel32.exe
        
        C:\Windows\system32\Gfnnel32.exe
        229⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\Gmhfbf32.exe
        
        C:\Windows\system32\Gmhfbf32.exe
        230⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Gpgbna32.exe
        
        C:\Windows\system32\Gpgbna32.exe
        231⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Gjlfkj32.exe
        
        C:\Windows\system32\Gjlfkj32.exe
        232⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Gmkbgf32.exe
        
        C:\Windows\system32\Gmkbgf32.exe
        233⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Gcdkdpih.exe
        
        C:\Windows\system32\Gcdkdpih.exe
        234⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Giacmggo.exe
        
        C:\Windows\system32\Giacmggo.exe
        235⤵
        Drops file in System32 directory
        
        PID:7308
        
        C:\Windows\SysWOW64\Gpkliaol.exe
        
        C:\Windows\system32\Gpkliaol.exe
        236⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Gjapfjnb.exe
        
        C:\Windows\system32\Gjapfjnb.exe
        237⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\Hakhcd32.exe
        
        C:\Windows\system32\Hakhcd32.exe
        238⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Hbldkllm.exe
        
        C:\Windows\system32\Hbldkllm.exe
        239⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Hifmhf32.exe
        
        C:\Windows\system32\Hifmhf32.exe
        240⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\Hppedpkf.exe
        
        C:\Windows\system32\Hppedpkf.exe
        241⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Hjeiai32.exe
        
        C:\Windows\system32\Hjeiai32.exe
        242⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\Hcnnjoam.exe
        
        C:\Windows\system32\Hcnnjoam.exe
        243⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\Hjhfgi32.exe
        
        C:\Windows\system32\Hjhfgi32.exe
        244⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\Hpenpp32.exe
        
        C:\Windows\system32\Hpenpp32.exe
        245⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\Hbcklkee.exe
        
        C:\Windows\system32\Hbcklkee.exe
        246⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\Himche32.exe
        
        C:\Windows\system32\Himche32.exe
        247⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\Hpgkeodo.exe
        
        C:\Windows\system32\Hpgkeodo.exe
        248⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\Ijmobhdd.exe
        
        C:\Windows\system32\Ijmobhdd.exe
        249⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\Iafgob32.exe
        
        C:\Windows\system32\Iafgob32.exe
        250⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Ibhdgjap.exe
        
        C:\Windows\system32\Ibhdgjap.exe
        251⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Iiblcdil.exe
        
        C:\Windows\system32\Iiblcdil.exe
        252⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\Ipldpo32.exe
        
        C:\Windows\system32\Ipldpo32.exe
        253⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Ibjqlj32.exe
        
        C:\Windows\system32\Ibjqlj32.exe
        254⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Iidiidgj.exe
        
        C:\Windows\system32\Iidiidgj.exe
        255⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Ipnaen32.exe
        
        C:\Windows\system32\Ipnaen32.exe
        256⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Ibmmbj32.exe
        
        C:\Windows\system32\Ibmmbj32.exe
        257⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Iiffoc32.exe
        
        C:\Windows\system32\Iiffoc32.exe
        258⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Ipqnknld.exe
        
        C:\Windows\system32\Ipqnknld.exe
        259⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Iiibdc32.exe
        
        C:\Windows\system32\Iiibdc32.exe
        260⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ipckqnja.exe
        
        C:\Windows\system32\Ipckqnja.exe
        261⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\Jjhonfjg.exe
        
        C:\Windows\system32\Jjhonfjg.exe
        262⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Jabgkpad.exe
        
        C:\Windows\system32\Jabgkpad.exe
        263⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Jfopcgpk.exe
        
        C:\Windows\system32\Jfopcgpk.exe
        264⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Jmihpa32.exe
        
        C:\Windows\system32\Jmihpa32.exe
        265⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Jagqfp32.exe
        
        C:\Windows\system32\Jagqfp32.exe
        266⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Jbhmnhcm.exe
        
        C:\Windows\system32\Jbhmnhcm.exe
        267⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\Jjoeoedo.exe
        
        C:\Windows\system32\Jjoeoedo.exe
        268⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\Jplmglbf.exe
        
        C:\Windows\system32\Jplmglbf.exe
        269⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Jfffcf32.exe
        
        C:\Windows\system32\Jfffcf32.exe
        270⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        271⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Jdjfmjhm.exe
        
        C:\Windows\system32\Jdjfmjhm.exe
        272⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Kkdnjd32.exe
        
        C:\Windows\system32\Kkdnjd32.exe
        273⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Kdlcbjfj.exe
        
        C:\Windows\system32\Kdlcbjfj.exe
        274⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Kiikkada.exe
        
        C:\Windows\system32\Kiikkada.exe
        275⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Kkihedld.exe
        
        C:\Windows\system32\Kkihedld.exe
        276⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Kpepmkjl.exe
        
        C:\Windows\system32\Kpepmkjl.exe
        277⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Kgphje32.exe
        
        C:\Windows\system32\Kgphje32.exe
        278⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Kaemgn32.exe
        
        C:\Windows\system32\Kaemgn32.exe
        279⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Kkmapc32.exe
        
        C:\Windows\system32\Kkmapc32.exe
        280⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Kmlmlo32.exe
        
        C:\Windows\system32\Kmlmlo32.exe
        281⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\Kdffiinp.exe
        
        C:\Windows\system32\Kdffiinp.exe
        282⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Libnapmg.exe
        
        C:\Windows\system32\Libnapmg.exe
        283⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Lpmfnj32.exe
        
        C:\Windows\system32\Lpmfnj32.exe
        284⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Lkbkkbdj.exe
        
        C:\Windows\system32\Lkbkkbdj.exe
        285⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\Lmqggncn.exe
        
        C:\Windows\system32\Lmqggncn.exe
        286⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Lkdgqbag.exe
        
        C:\Windows\system32\Lkdgqbag.exe
        287⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Lpapiipo.exe
        
        C:\Windows\system32\Lpapiipo.exe
        288⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Lkgdfb32.exe
        
        C:\Windows\system32\Lkgdfb32.exe
        289⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Laqlclga.exe
        
        C:\Windows\system32\Laqlclga.exe
        290⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Lcbikd32.exe
        
        C:\Windows\system32\Lcbikd32.exe
        291⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Ljlagndl.exe
        
        C:\Windows\system32\Ljlagndl.exe
        292⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Lpfidh32.exe
        
        C:\Windows\system32\Lpfidh32.exe
        293⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Mkkmaalo.exe
        
        C:\Windows\system32\Mkkmaalo.exe
        294⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\Mphfjhjf.exe
        
        C:\Windows\system32\Mphfjhjf.exe
        295⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Mknjgajl.exe
        
        C:\Windows\system32\Mknjgajl.exe
        296⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Mahbck32.exe
        
        C:\Windows\system32\Mahbck32.exe
        297⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Mkpglqgj.exe
        
        C:\Windows\system32\Mkpglqgj.exe
        298⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Mpmodg32.exe
        
        C:\Windows\system32\Mpmodg32.exe
        299⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Mjednmla.exe
        
        C:\Windows\system32\Mjednmla.exe
        300⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Mdkhkflh.exe
        
        C:\Windows\system32\Mdkhkflh.exe
        301⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Mkepgp32.exe
        
        C:\Windows\system32\Mkepgp32.exe
        302⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Mncmck32.exe
        
        C:\Windows\system32\Mncmck32.exe
        303⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Naaejj32.exe
        
        C:\Windows\system32\Naaejj32.exe
        304⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Ncbaabom.exe
        
        C:\Windows\system32\Ncbaabom.exe
        305⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Njljnl32.exe
        
        C:\Windows\system32\Njljnl32.exe
        306⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Nacboi32.exe
        
        C:\Windows\system32\Nacboi32.exe
        307⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Ncenga32.exe
        
        C:\Windows\system32\Ncenga32.exe
        308⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Njogdldg.exe
        
        C:\Windows\system32\Njogdldg.exe
        309⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Nqioqf32.exe
        
        C:\Windows\system32\Nqioqf32.exe
        310⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\Ngbgmpcq.exe
        
        C:\Windows\system32\Ngbgmpcq.exe
        311⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Nnmojj32.exe
        
        C:\Windows\system32\Nnmojj32.exe
        312⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Ndfgfd32.exe
        
        C:\Windows\system32\Ndfgfd32.exe
        313⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Nkqpcnig.exe
        
        C:\Windows\system32\Nkqpcnig.exe
        314⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nbjhph32.exe
        
        C:\Windows\system32\Nbjhph32.exe
        315⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ocldhqgb.exe
        
        C:\Windows\system32\Ocldhqgb.exe
        316⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Okcmingd.exe
        
        C:\Windows\system32\Okcmingd.exe
        317⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Oqpeaeel.exe
        
        C:\Windows\system32\Oqpeaeel.exe
        318⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Ogjmnomi.exe
        
        C:\Windows\system32\Ogjmnomi.exe
        319⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Onceji32.exe
        
        C:\Windows\system32\Onceji32.exe
        320⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Odnngclb.exe
        
        C:\Windows\system32\Odnngclb.exe
        321⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Okgfdm32.exe
        
        C:\Windows\system32\Okgfdm32.exe
        322⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Oqdnld32.exe
        
        C:\Windows\system32\Oqdnld32.exe
        323⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Ognginic.exe
        
        C:\Windows\system32\Ognginic.exe
        324⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Ojmcej32.exe
        
        C:\Windows\system32\Ojmcej32.exe
        325⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Oqgkadod.exe
        
        C:\Windows\system32\Oqgkadod.exe
        326⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Ogqcon32.exe
        
        C:\Windows\system32\Ogqcon32.exe
        327⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Ojopki32.exe
        
        C:\Windows\system32\Ojopki32.exe
        328⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Pqihgcma.exe
        
        C:\Windows\system32\Pqihgcma.exe
        329⤵
        
        PID:13148
        
        C:\Windows\SysWOW64\Pgcpdn32.exe
        
        C:\Windows\system32\Pgcpdn32.exe
        330⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Pbhdafdd.exe
        
        C:\Windows\system32\Pbhdafdd.exe
        331⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Pcjaio32.exe
        
        C:\Windows\system32\Pcjaio32.exe
        332⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Pjdifibo.exe
        
        C:\Windows\system32\Pjdifibo.exe
        333⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\Pclnon32.exe
        
        C:\Windows\system32\Pclnon32.exe
        334⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\Pbmnlf32.exe
        
        C:\Windows\system32\Pbmnlf32.exe
        335⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Qcepem32.exe
        
        C:\Windows\system32\Qcepem32.exe
        336⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\Abfqbdhd.exe
        
        C:\Windows\system32\Abfqbdhd.exe
        337⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\Anmagenh.exe
        
        C:\Windows\system32\Anmagenh.exe
        338⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\Aegidp32.exe
        
        C:\Windows\system32\Aegidp32.exe
        339⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ajdbmf32.exe
        
        C:\Windows\system32\Ajdbmf32.exe
        340⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        341⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\Alcofi32.exe
        
        C:\Windows\system32\Alcofi32.exe
        342⤵
        
        PID:9284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akglloai.exe

Filesize
467KB

MD5
91935704164b68339b449600d52a58d8

SHA1
20a865706a580425d76500f74066990bf5d75146

SHA256
ede64bf528e0e8405604babc1281c57b4006db3c8440cf827763204344e0d655

SHA512
bd75ffe244fe255b8cd5da786b7f742f3f653d7ab9f0cf95dd0d4acf75d746e31f5eb71777af880f224680daf838ea65bc034532f81666920f0d2169e8801c90

Download Submit
C:\Windows\SysWOW64\Akglloai.exe

Filesize
467KB

MD5
91935704164b68339b449600d52a58d8

SHA1
20a865706a580425d76500f74066990bf5d75146

SHA256
ede64bf528e0e8405604babc1281c57b4006db3c8440cf827763204344e0d655

SHA512
bd75ffe244fe255b8cd5da786b7f742f3f653d7ab9f0cf95dd0d4acf75d746e31f5eb71777af880f224680daf838ea65bc034532f81666920f0d2169e8801c90

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
467KB

MD5
f6dda4e464a55d6592044643bd3db4e2

SHA1
0ba2fcac3d9a05dd2331c50ba290d230586cd258

SHA256
e3e6efa32f8a9ab4d902b198b21ab67b7c180d4fd1a4ffa4d9717d12727b8680

SHA512
8b52ac5d3d9f4516f45877a27e04ee9130b4ac5171c85b6c3af09b4c2dfea0a708bcd5f8fa580101087a23d837e89c0371cd4d6986854797cfac1b8462e068b1

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
467KB

MD5
f6dda4e464a55d6592044643bd3db4e2

SHA1
0ba2fcac3d9a05dd2331c50ba290d230586cd258

SHA256
e3e6efa32f8a9ab4d902b198b21ab67b7c180d4fd1a4ffa4d9717d12727b8680

SHA512
8b52ac5d3d9f4516f45877a27e04ee9130b4ac5171c85b6c3af09b4c2dfea0a708bcd5f8fa580101087a23d837e89c0371cd4d6986854797cfac1b8462e068b1

Download Submit
C:\Windows\SysWOW64\Bdpaeehj.exe

Filesize
467KB

MD5
2bc85df2b5b58306cfd620d8452d26c0

SHA1
ef6c8d8e81566ef2d5c21d315c8922f2200dce2d

SHA256
1d58668b1f6e41ac299ef35dc56ca7d74ee82946cd5739733dbb06a61a2d12cb

SHA512
0640a96a2aeb13032fa9fefb9f312aeccf257c0dc38c71fc264123c766ed7a1f62d9850aae25c05a06c6c7cada1c381d7c7221f06ddcf7e8a04d3fa00174f968

Download Submit
C:\Windows\SysWOW64\Bdpaeehj.exe

Filesize
467KB

MD5
2bc85df2b5b58306cfd620d8452d26c0

SHA1
ef6c8d8e81566ef2d5c21d315c8922f2200dce2d

SHA256
1d58668b1f6e41ac299ef35dc56ca7d74ee82946cd5739733dbb06a61a2d12cb

SHA512
0640a96a2aeb13032fa9fefb9f312aeccf257c0dc38c71fc264123c766ed7a1f62d9850aae25c05a06c6c7cada1c381d7c7221f06ddcf7e8a04d3fa00174f968

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
467KB

MD5
6a5c0b8ca18e9b9554147e7add565a28

SHA1
411d5a6303e477976e5e6e754218d4e0eaf2e530

SHA256
a0f25441c498cb82719bcb49320b3acbe94d981981abe2c211216f25b5d1cbf7

SHA512
799eec0ca890c5255dbbbd964d7c4da6a469b8ec4ed2b6025e8fe510b9d791196a86ada088bb4b2113d2ff403017204d2f5bd7945a34faa8a03dab6ac1a2cc34

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
467KB

MD5
648c69f8c4f94d407ad85d31d526ff8a

SHA1
0bf89e552ce6fee59621ec3daf52d4722283901c

SHA256
b9d3e24f72d83f06d1aabefbd48e3f0c518abc128e4b8fbf55b0ae0444d8762f

SHA512
22853ae13116b824959234fa3600c20784c7eea21e33dbeb1e4eacc41368b6b6016805134032ec88e49d96396f4d2a06e5a514e40a00af70ce18ae1e5f95420d

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
467KB

MD5
648c69f8c4f94d407ad85d31d526ff8a

SHA1
0bf89e552ce6fee59621ec3daf52d4722283901c

SHA256
b9d3e24f72d83f06d1aabefbd48e3f0c518abc128e4b8fbf55b0ae0444d8762f

SHA512
22853ae13116b824959234fa3600c20784c7eea21e33dbeb1e4eacc41368b6b6016805134032ec88e49d96396f4d2a06e5a514e40a00af70ce18ae1e5f95420d

Download Submit
C:\Windows\SysWOW64\Bmlofhca.exe

Filesize
467KB

MD5
2dd15857c8611c6040e0bba9a4261b5b

SHA1
15094c521ee7cd2d7300ebdef2af10446673950e

SHA256
56afa0c660f18b1983f34321ed88f31e5c7c36ad43486a00ac60549bbfab1f29

SHA512
25ba3987dbbf2cc5dd45d859c38269bcc40d7540048147e42a8a087b71f8d2e37ba974f5585f130b8c9dfd6968c9ee5d4748e9c662dc4ad2c4192c2316a1875d

Download Submit
C:\Windows\SysWOW64\Boeebnhp.exe

Filesize
467KB

MD5
6a5c0b8ca18e9b9554147e7add565a28

SHA1
411d5a6303e477976e5e6e754218d4e0eaf2e530

SHA256
a0f25441c498cb82719bcb49320b3acbe94d981981abe2c211216f25b5d1cbf7

SHA512
799eec0ca890c5255dbbbd964d7c4da6a469b8ec4ed2b6025e8fe510b9d791196a86ada088bb4b2113d2ff403017204d2f5bd7945a34faa8a03dab6ac1a2cc34

Download Submit
C:\Windows\SysWOW64\Boeebnhp.exe

Filesize
467KB

MD5
6a5c0b8ca18e9b9554147e7add565a28

SHA1
411d5a6303e477976e5e6e754218d4e0eaf2e530

SHA256
a0f25441c498cb82719bcb49320b3acbe94d981981abe2c211216f25b5d1cbf7

SHA512
799eec0ca890c5255dbbbd964d7c4da6a469b8ec4ed2b6025e8fe510b9d791196a86ada088bb4b2113d2ff403017204d2f5bd7945a34faa8a03dab6ac1a2cc34

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
467KB

MD5
93612c2d5b096497a8a15d0419401431

SHA1
f156b86647c85f3bc12d2e4b2327adda113ab549

SHA256
08c1f6173cfaf48f3de1ddc6fa91c931183773f1f68e205a4c23661f30c9e137

SHA512
ae0b8f75954059098fe4ea1e8b7545733eee2043e67f994a703ff7676607a6efc7a5f4d16b3e7fdfe811fb25a3dd4da1bf7f6ae7f57ed806c33c84c70536042c

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
467KB

MD5
93612c2d5b096497a8a15d0419401431

SHA1
f156b86647c85f3bc12d2e4b2327adda113ab549

SHA256
08c1f6173cfaf48f3de1ddc6fa91c931183773f1f68e205a4c23661f30c9e137

SHA512
ae0b8f75954059098fe4ea1e8b7545733eee2043e67f994a703ff7676607a6efc7a5f4d16b3e7fdfe811fb25a3dd4da1bf7f6ae7f57ed806c33c84c70536042c

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
467KB

MD5
2e218717db6cdb0122d655b328fb81d6

SHA1
8d11e303999606640e3f74356fb6f2dca72df1c8

SHA256
6a4e34b48f006671fdf45040093164d420467fdef58372e87f1c8ef2e0feb629

SHA512
4fb0acd751f3c27190208f220f11f2b7910510d11cbf3f4746455a4a6db08156988d559c35ddad202202e0d5cea264b9cb508698a2548d18bae8f6171ca0b38e

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
467KB

MD5
2e218717db6cdb0122d655b328fb81d6

SHA1
8d11e303999606640e3f74356fb6f2dca72df1c8

SHA256
6a4e34b48f006671fdf45040093164d420467fdef58372e87f1c8ef2e0feb629

SHA512
4fb0acd751f3c27190208f220f11f2b7910510d11cbf3f4746455a4a6db08156988d559c35ddad202202e0d5cea264b9cb508698a2548d18bae8f6171ca0b38e

Download Submit
C:\Windows\SysWOW64\Cfglahbj.exe

Filesize
467KB

MD5
018e2a8c4042e7056db96963e3844624

SHA1
a42a86f3a66ba16d267656547ae0875638b9a083

SHA256
30e04d06fd1860953be9411d60766b6695dc95230876273d003eb7b540a579fb

SHA512
92b871b20e5fd1e8acd44e92872a4eccbd0dee2639028061cfd0893a88336a3cc699d13fc1b75b7d363e345891b1ab626b3a590729fc5f0437a78067e6277df3

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
467KB

MD5
9e1ce03f0f286ec653280653a855db3b

SHA1
fbea284f905b6e16d18047f4eb6e119cc49fa02d

SHA256
c3496f93d80c6f5f1373764eaa695ddcc9709f869fdd317d460c05ee7b3f738f

SHA512
b86dd79682b31beed52fe539a0966489c2d25c9c1a274d83a001cbd0c5f9e75bdcb40f35beb3c1b98dae23273a00755c0be8f8c9b46140ef1cdcf3b06acba680

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
467KB

MD5
9e1ce03f0f286ec653280653a855db3b

SHA1
fbea284f905b6e16d18047f4eb6e119cc49fa02d

SHA256
c3496f93d80c6f5f1373764eaa695ddcc9709f869fdd317d460c05ee7b3f738f

SHA512
b86dd79682b31beed52fe539a0966489c2d25c9c1a274d83a001cbd0c5f9e75bdcb40f35beb3c1b98dae23273a00755c0be8f8c9b46140ef1cdcf3b06acba680

Download Submit
C:\Windows\SysWOW64\Ciggeb32.dll

Filesize
7KB

MD5
aed26ccae596da67b60421058a55f309

SHA1
cac0b5d988a4f6ba99377f886af52c78446ef53d

SHA256
25e9f4cc448cb65d7b737ee07d92bba238aba0aa194d1fe26c828527ab69e2ce

SHA512
bd6c002c9838550bedc4656be1e0651119b09305f5b3be12522249551b743a3b7d2d69379813210343809141f0967df9053d5f00d3c07ad1e11c58e64e3c28ad

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
467KB

MD5
93814f5442e866335d396bfe7cb72681

SHA1
4d603afff93c60b76af196e2080434b9a8ef4c79

SHA256
c027f65276dbfa2cec0ae1025b6fb10380b8a2904724a95c18794ebbf67c701b

SHA512
e35a89d1df4395c282cbb8dd2dda8df01277d4d991d55700ab4d8f904dd5243b3f9e1ea0109bc80ed36c0b237d28cf6362f3ab227142967c9bd102af2f53a1d9

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
467KB

MD5
128d002306910826312e5914b22a195a

SHA1
249c587f8896975c8db170f3cff50c2d9c8e2816

SHA256
c360b1101e31c5eb7ae795769ebeea6d3ef524b881aca7f23dc8c34071dee53d

SHA512
cfc21a0ae0a2394e4ae84829e8a0f50b8817413dc573c6791b2e783dc6e1b5b1e0b3c9f80cf87091cda061b3f6fcfc0f1c05e3ae84dfb2852d03e8f0d876f09d

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
467KB

MD5
128d002306910826312e5914b22a195a

SHA1
249c587f8896975c8db170f3cff50c2d9c8e2816

SHA256
c360b1101e31c5eb7ae795769ebeea6d3ef524b881aca7f23dc8c34071dee53d

SHA512
cfc21a0ae0a2394e4ae84829e8a0f50b8817413dc573c6791b2e783dc6e1b5b1e0b3c9f80cf87091cda061b3f6fcfc0f1c05e3ae84dfb2852d03e8f0d876f09d

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
467KB

MD5
e616524f34f540857060ce865f914bd4

SHA1
7a42c24cb8d7da20cc45807f219ce2cdf6f23c2a

SHA256
f79a3fcfb3f2c7670a5efe242704cbce6fcf505b110638d84b6a8f4f6cd436ef

SHA512
997d234c3a904714dcbb10db81a1326968103a31bcfd228ea50863ed6b3f0ecbda99151f305003887c0b4bbf4b03d12c823f71d612d3262dc7feb97bff1ad2d8

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
467KB

MD5
e616524f34f540857060ce865f914bd4

SHA1
7a42c24cb8d7da20cc45807f219ce2cdf6f23c2a

SHA256
f79a3fcfb3f2c7670a5efe242704cbce6fcf505b110638d84b6a8f4f6cd436ef

SHA512
997d234c3a904714dcbb10db81a1326968103a31bcfd228ea50863ed6b3f0ecbda99151f305003887c0b4bbf4b03d12c823f71d612d3262dc7feb97bff1ad2d8

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
467KB

MD5
93814f5442e866335d396bfe7cb72681

SHA1
4d603afff93c60b76af196e2080434b9a8ef4c79

SHA256
c027f65276dbfa2cec0ae1025b6fb10380b8a2904724a95c18794ebbf67c701b

SHA512
e35a89d1df4395c282cbb8dd2dda8df01277d4d991d55700ab4d8f904dd5243b3f9e1ea0109bc80ed36c0b237d28cf6362f3ab227142967c9bd102af2f53a1d9

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
467KB

MD5
93814f5442e866335d396bfe7cb72681

SHA1
4d603afff93c60b76af196e2080434b9a8ef4c79

SHA256
c027f65276dbfa2cec0ae1025b6fb10380b8a2904724a95c18794ebbf67c701b

SHA512
e35a89d1df4395c282cbb8dd2dda8df01277d4d991d55700ab4d8f904dd5243b3f9e1ea0109bc80ed36c0b237d28cf6362f3ab227142967c9bd102af2f53a1d9

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
467KB

MD5
eacfa7fe1dd2d33e57d807ab8d7dc7cc

SHA1
ed000f53c355ee663e0242fae1c6c2e81446a729

SHA256
480d0bff804effaba088f333708a07f834ba813fa59786a060b4ac415aa65fb7

SHA512
58c4c58207b33e14c4ea7f72dc883b529e3ffd85b370539ce6b68e93aa1a33f9e5a5c76cb696aa9bd82ca60974951f7d0a26948d335563d7423cb5c9cb06d899

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
467KB

MD5
eacfa7fe1dd2d33e57d807ab8d7dc7cc

SHA1
ed000f53c355ee663e0242fae1c6c2e81446a729

SHA256
480d0bff804effaba088f333708a07f834ba813fa59786a060b4ac415aa65fb7

SHA512
58c4c58207b33e14c4ea7f72dc883b529e3ffd85b370539ce6b68e93aa1a33f9e5a5c76cb696aa9bd82ca60974951f7d0a26948d335563d7423cb5c9cb06d899

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
467KB

MD5
690584821615b92a8ac2dc3aa4ee4ea8

SHA1
5e3f088a3c13762500b8ce91622a6fd8901c88a7

SHA256
0d6c9d2c20a69081fbdb4b57df13649d226af9ae34217d29f572f7b6261cb48d

SHA512
ce97218bd3859c3df8314384de77ed810756d5c8c8ef8db6ba2eb66494479313fa98a1666f665503d403a74f48faf4322369bacedfd25ad5bdd506a92e14f28a

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
467KB

MD5
690584821615b92a8ac2dc3aa4ee4ea8

SHA1
5e3f088a3c13762500b8ce91622a6fd8901c88a7

SHA256
0d6c9d2c20a69081fbdb4b57df13649d226af9ae34217d29f572f7b6261cb48d

SHA512
ce97218bd3859c3df8314384de77ed810756d5c8c8ef8db6ba2eb66494479313fa98a1666f665503d403a74f48faf4322369bacedfd25ad5bdd506a92e14f28a

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
467KB

MD5
1169de29c74a2f53d5e3128fa628747c

SHA1
917d7bcaf21f4f2fb051556554ba1d6cf10ddf11

SHA256
5bfd5036a456b1fc713962cdbaeb220b1843369917afd80102825e02633b0cc2

SHA512
8c9ac87ba259fff5c1a4374c8b1b9faf378fc71bc182406b9fe7e8048e0665fcac6fe682e31609defe040fdc128a6b3c29dd61805e8ec7439a75c7227bda49a3

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
467KB

MD5
1169de29c74a2f53d5e3128fa628747c

SHA1
917d7bcaf21f4f2fb051556554ba1d6cf10ddf11

SHA256
5bfd5036a456b1fc713962cdbaeb220b1843369917afd80102825e02633b0cc2

SHA512
8c9ac87ba259fff5c1a4374c8b1b9faf378fc71bc182406b9fe7e8048e0665fcac6fe682e31609defe040fdc128a6b3c29dd61805e8ec7439a75c7227bda49a3

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
467KB

MD5
59a3adc36e628ab6b00af5b1cd930f4c

SHA1
e9528a41e016970bcc7aa33f7e7a6a6d40f7fd56

SHA256
ec64d8dd9d3463df652421d9a1b3b38ae9fa24f895e14cc0536c3fa83d461e45

SHA512
ff74cf7bf19a2adb24c92d19d344386dc53325439b2c9396ba0d8c6fc6255fe503878ac28dd073ff295a862b3386fb2a2cf3d1a999ac93a6c7c267bd6d5c1e70

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
467KB

MD5
59a3adc36e628ab6b00af5b1cd930f4c

SHA1
e9528a41e016970bcc7aa33f7e7a6a6d40f7fd56

SHA256
ec64d8dd9d3463df652421d9a1b3b38ae9fa24f895e14cc0536c3fa83d461e45

SHA512
ff74cf7bf19a2adb24c92d19d344386dc53325439b2c9396ba0d8c6fc6255fe503878ac28dd073ff295a862b3386fb2a2cf3d1a999ac93a6c7c267bd6d5c1e70

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
467KB

MD5
d1aa4d1a874d11d6be53e8082a630d73

SHA1
2d5857b10e529d18b6753486cda7c4fa4fad9746

SHA256
4abae6e8a51b836d8536e6948f7f7a29f52c17ae2fbc020cb0708e6e7ff6fc06

SHA512
1552d8a1374525c456e056289bd3f89fc9186cb5890956f5443724fd782183e964cb737bb077a796176fa838585ffe00a8698e69ab78c8be44d5bdba106b6e01

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
467KB

MD5
d1aa4d1a874d11d6be53e8082a630d73

SHA1
2d5857b10e529d18b6753486cda7c4fa4fad9746

SHA256
4abae6e8a51b836d8536e6948f7f7a29f52c17ae2fbc020cb0708e6e7ff6fc06

SHA512
1552d8a1374525c456e056289bd3f89fc9186cb5890956f5443724fd782183e964cb737bb077a796176fa838585ffe00a8698e69ab78c8be44d5bdba106b6e01

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
467KB

MD5
ae423b365c9428d1277ea78a8ea43bff

SHA1
98da63fa541c1799b13858e24e9bd23a36851b6c

SHA256
714b4c1255bbe998a82446872694ff3eb08d064df0920bb277da8911560e03cf

SHA512
213226d01605e19a1e8c0c163ab2c4fe6640c0b4ac9f4343b8a985072887dd6382dba851745dcf41f4c9b2514ec132104326b87a424fab4d8cc249f046d603e2

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
467KB

MD5
ae423b365c9428d1277ea78a8ea43bff

SHA1
98da63fa541c1799b13858e24e9bd23a36851b6c

SHA256
714b4c1255bbe998a82446872694ff3eb08d064df0920bb277da8911560e03cf

SHA512
213226d01605e19a1e8c0c163ab2c4fe6640c0b4ac9f4343b8a985072887dd6382dba851745dcf41f4c9b2514ec132104326b87a424fab4d8cc249f046d603e2

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
467KB

MD5
7eba8ca028a78d4eb43a61c5ca74249e

SHA1
f80f9577e72758d93d42dcf4846399f62da0bdd0

SHA256
c17b0f32d9f369b6afaddeff44a4dee332ebffa033cec9f74ffbb135bc746965

SHA512
d625469ac1780c27e28433e1348927dbd5fe3641b252c1a772accf0c2e005fc00a26107d4cfe4620ebede23761c20cc80727dcef3964a3b89c91608ca64bc55e

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
467KB

MD5
7eba8ca028a78d4eb43a61c5ca74249e

SHA1
f80f9577e72758d93d42dcf4846399f62da0bdd0

SHA256
c17b0f32d9f369b6afaddeff44a4dee332ebffa033cec9f74ffbb135bc746965

SHA512
d625469ac1780c27e28433e1348927dbd5fe3641b252c1a772accf0c2e005fc00a26107d4cfe4620ebede23761c20cc80727dcef3964a3b89c91608ca64bc55e

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
467KB

MD5
08884be8739a6fcd4846e596e8449ec0

SHA1
92a254c13a9a2dc2e63637632de22e6cc98ed0f5

SHA256
e29889e41d5572fa4c4f05164574a646df279b3b786ee2107ffbee6dd4a69eda

SHA512
da8558e25322754ad49888cdea8e5b13b19ed00ad3f9f2b1c029887126efc716b02809bb107fce915ceea89d66bd924497ec9c7ed35ec5d821117f014b722dc8

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
467KB

MD5
08884be8739a6fcd4846e596e8449ec0

SHA1
92a254c13a9a2dc2e63637632de22e6cc98ed0f5

SHA256
e29889e41d5572fa4c4f05164574a646df279b3b786ee2107ffbee6dd4a69eda

SHA512
da8558e25322754ad49888cdea8e5b13b19ed00ad3f9f2b1c029887126efc716b02809bb107fce915ceea89d66bd924497ec9c7ed35ec5d821117f014b722dc8

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
467KB

MD5
08b52a3830332fb19e6b8976a2785067

SHA1
6723b31624907aa4a48e7c926027a5eb4b0ea39e

SHA256
666336012778169c96fa0b3ade36b516fe0afc10186aa8cbd67a228e97e83e99

SHA512
d2cca6c64e8e56f0a999e4f30c3afc667ffe844f68b26aedf40aa730037bfa44284f2cc381b87bc71a600507da5aef7538e4a028767da1f162b7f5a7b62b3cd8

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
467KB

MD5
08b52a3830332fb19e6b8976a2785067

SHA1
6723b31624907aa4a48e7c926027a5eb4b0ea39e

SHA256
666336012778169c96fa0b3ade36b516fe0afc10186aa8cbd67a228e97e83e99

SHA512
d2cca6c64e8e56f0a999e4f30c3afc667ffe844f68b26aedf40aa730037bfa44284f2cc381b87bc71a600507da5aef7538e4a028767da1f162b7f5a7b62b3cd8

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
467KB

MD5
da0e2e573423a02b6f03cce0951a41e5

SHA1
455869d30aab375cdb52c0dc80fa92751e6203ef

SHA256
e23553dc67fe0f400f7a1aea873890ef221be6aa3b34371f695790031e5fdac6

SHA512
2be3b85c907332344cadbce5950bd091f15f4fa26a1390e4e90d68a5560ba5027a8f2a35c1117a8f2ae20e5b1211efee0ffb5eb20dea0ea1d99c5bf2d6013e32

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
467KB

MD5
da0e2e573423a02b6f03cce0951a41e5

SHA1
455869d30aab375cdb52c0dc80fa92751e6203ef

SHA256
e23553dc67fe0f400f7a1aea873890ef221be6aa3b34371f695790031e5fdac6

SHA512
2be3b85c907332344cadbce5950bd091f15f4fa26a1390e4e90d68a5560ba5027a8f2a35c1117a8f2ae20e5b1211efee0ffb5eb20dea0ea1d99c5bf2d6013e32

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
467KB

MD5
85920e7074ce83ef75dc4ca37f6cfca2

SHA1
6c6701149778e1edb0670d8cb6e90554aefe4885

SHA256
5d1f4a538914928b06616049367aa38337d2e20ef5ea64c3cacd4f997dc605e1

SHA512
0303ab413b4d5024686544b8d5a106e4c71aeb2c4704db6ca97c7cd6bbbf83d43452da2e86913aad1cdf57f9ca120ba5bc6d3d52f463bbb17d3d08d90bd7090d

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
467KB

MD5
85920e7074ce83ef75dc4ca37f6cfca2

SHA1
6c6701149778e1edb0670d8cb6e90554aefe4885

SHA256
5d1f4a538914928b06616049367aa38337d2e20ef5ea64c3cacd4f997dc605e1

SHA512
0303ab413b4d5024686544b8d5a106e4c71aeb2c4704db6ca97c7cd6bbbf83d43452da2e86913aad1cdf57f9ca120ba5bc6d3d52f463bbb17d3d08d90bd7090d

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
467KB

MD5
5e057b424751026954737621e8d3138a

SHA1
a6cdf2e7d47110a1a1abfcd4b4f72ea6dfeb2176

SHA256
0ff8050038fe0145eb6a2b1cd8cfbaa35d07d488cfb86816e7e9c2262d714152

SHA512
9d525511f5896821acd84628810a7e65f6519f42868db21a147e7594cfef1ffbdf7dfc0f53d74468344cbcb824fc23e1feb089cdf93d193bfc03d908bcf57a28

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
467KB

MD5
5e057b424751026954737621e8d3138a

SHA1
a6cdf2e7d47110a1a1abfcd4b4f72ea6dfeb2176

SHA256
0ff8050038fe0145eb6a2b1cd8cfbaa35d07d488cfb86816e7e9c2262d714152

SHA512
9d525511f5896821acd84628810a7e65f6519f42868db21a147e7594cfef1ffbdf7dfc0f53d74468344cbcb824fc23e1feb089cdf93d193bfc03d908bcf57a28

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
467KB

MD5
8db0ff6fd8f80b18430c343329e7a26b

SHA1
248987ae09c033cf2989b78f53a193e91b269516

SHA256
607f8605a49d78cb83852476cf6bfb62658126cea9b977ca424242f2e5899aac

SHA512
eab90b7ce154727cd3fb3637f7a8cc77f568f7d2b1382067608b424af6bfebe82c92679739c092014d2497c8094bbdcfd6c8fd5f20f577d043a048bfa423a640

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
467KB

MD5
8db0ff6fd8f80b18430c343329e7a26b

SHA1
248987ae09c033cf2989b78f53a193e91b269516

SHA256
607f8605a49d78cb83852476cf6bfb62658126cea9b977ca424242f2e5899aac

SHA512
eab90b7ce154727cd3fb3637f7a8cc77f568f7d2b1382067608b424af6bfebe82c92679739c092014d2497c8094bbdcfd6c8fd5f20f577d043a048bfa423a640

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
467KB

MD5
134e11268f4743514b1e21f2bcd3b990

SHA1
8c41bc46751170178b4b17380009f5506a21eae2

SHA256
b8faa7a02e19b38a78ccc54b78bf06187ed0aaa0cbef3b9cfdffea61be5047ff

SHA512
867d1c0f5accfbd4d613a0e8476572dfb8b84580ad26f2789fb4816c55a06ef9478b1672720b61c87f778b8848350da2009fa735ae6edd3d8ad405150a606087

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
467KB

MD5
134e11268f4743514b1e21f2bcd3b990

SHA1
8c41bc46751170178b4b17380009f5506a21eae2

SHA256
b8faa7a02e19b38a78ccc54b78bf06187ed0aaa0cbef3b9cfdffea61be5047ff

SHA512
867d1c0f5accfbd4d613a0e8476572dfb8b84580ad26f2789fb4816c55a06ef9478b1672720b61c87f778b8848350da2009fa735ae6edd3d8ad405150a606087

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
467KB

MD5
cf73e42274f0c7fb2b5330ff328693c4

SHA1
47ff08fc71cda70e8cf7d6c230e3b53c53082576

SHA256
3b3ca3e6fb902afa4bcb087b6cb33d2600a0df27d1ecb11039a4d3dfb7b25f01

SHA512
0c44dffdd0629b4d1eaee89b63c3839e85aedd6c10065034599ecc57842df094c31c680d197aae2b060da22920fde76d9602011fcbdcf5e0d04480d54328d4e9

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
467KB

MD5
cf73e42274f0c7fb2b5330ff328693c4

SHA1
47ff08fc71cda70e8cf7d6c230e3b53c53082576

SHA256
3b3ca3e6fb902afa4bcb087b6cb33d2600a0df27d1ecb11039a4d3dfb7b25f01

SHA512
0c44dffdd0629b4d1eaee89b63c3839e85aedd6c10065034599ecc57842df094c31c680d197aae2b060da22920fde76d9602011fcbdcf5e0d04480d54328d4e9

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
467KB

MD5
761a19008f047d3bfe0e70a3f5fc6964

SHA1
fb5cb7647fd186979a7ff1e709e44a345aef5286

SHA256
4d0bf98e7f57f0d4a4489eff1241c86495c8ee7037263b2e4501a4c205ebd32f

SHA512
11e55c82d8329b5e8aea3f4309afbc0379ecb1bdc946905a74bbeadea73eb613b1162af1168c1aea87234cc969a5708d5cfa9cd5a85ceaa8acf1589f0f726adc

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
467KB

MD5
761a19008f047d3bfe0e70a3f5fc6964

SHA1
fb5cb7647fd186979a7ff1e709e44a345aef5286

SHA256
4d0bf98e7f57f0d4a4489eff1241c86495c8ee7037263b2e4501a4c205ebd32f

SHA512
11e55c82d8329b5e8aea3f4309afbc0379ecb1bdc946905a74bbeadea73eb613b1162af1168c1aea87234cc969a5708d5cfa9cd5a85ceaa8acf1589f0f726adc

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
467KB

MD5
d37a74def0a7d13dfb828a65254dbc1f

SHA1
1f3d114d59edcf7f9726c7d491d074f6fda3235b

SHA256
df7d0a7406d8f10f03bacee87b0c0a0b2a69e8a31a6955f1ab618889214f782a

SHA512
ff38620110a7a57132d92a1612db981e10a6ae3b1f1916ee593b9d1f9f72c9e3f299a851a23b8ffe2cd03c330fbad625192c42a77798a09117a092666cee02bc

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
467KB

MD5
d37a74def0a7d13dfb828a65254dbc1f

SHA1
1f3d114d59edcf7f9726c7d491d074f6fda3235b

SHA256
df7d0a7406d8f10f03bacee87b0c0a0b2a69e8a31a6955f1ab618889214f782a

SHA512
ff38620110a7a57132d92a1612db981e10a6ae3b1f1916ee593b9d1f9f72c9e3f299a851a23b8ffe2cd03c330fbad625192c42a77798a09117a092666cee02bc

Download Submit
C:\Windows\SysWOW64\Fmfgek32.exe

Filesize
467KB

MD5
32d85710902771ddc25fa8ba0417b31e

SHA1
e9daa8ffe3a6b51c68a474dc417767cbb5a7b9c7

SHA256
cc2fa55a3ebb91d20f3da85cbbd31444edf51f63a3d1b1db7049666002aea2a5

SHA512
3f1248ab3a2be92772cc748c1381f8922e7582e94c247a44c3296116272152dcdc70d848b02ac4c5accf8314736c7e05f6b4da7e6801ec961e2be274fd6f0486

Download Submit
C:\Windows\SysWOW64\Fmfgek32.exe

Filesize
467KB

MD5
32d85710902771ddc25fa8ba0417b31e

SHA1
e9daa8ffe3a6b51c68a474dc417767cbb5a7b9c7

SHA256
cc2fa55a3ebb91d20f3da85cbbd31444edf51f63a3d1b1db7049666002aea2a5

SHA512
3f1248ab3a2be92772cc748c1381f8922e7582e94c247a44c3296116272152dcdc70d848b02ac4c5accf8314736c7e05f6b4da7e6801ec961e2be274fd6f0486

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
467KB

MD5
7ef86a52755b3eb615a2e5c6a1c75ef1

SHA1
fe133f7fcf21e94abe7426751aac12da65a43262

SHA256
96236af0664986fed57b6db14f8ae6102155685b21ce6b8b66ee72468527f780

SHA512
d6a921887f9fa10ad151dfed60f422bc89452a652685dbbbbf4a320636ff0eac2d8bd81509c47296dfb51e0e59d8ea54b9dfa91ec4372400efd3a40c97fcbec3

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
467KB

MD5
7ef86a52755b3eb615a2e5c6a1c75ef1

SHA1
fe133f7fcf21e94abe7426751aac12da65a43262

SHA256
96236af0664986fed57b6db14f8ae6102155685b21ce6b8b66ee72468527f780

SHA512
d6a921887f9fa10ad151dfed60f422bc89452a652685dbbbbf4a320636ff0eac2d8bd81509c47296dfb51e0e59d8ea54b9dfa91ec4372400efd3a40c97fcbec3

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
467KB

MD5
ca7c61fda9791586042d83cf35e75c38

SHA1
c17537648e3eb6683eb929a4996f80eb9d278b56

SHA256
f29a982a031546e610f615a132acacae5f221348db11b34c24c17e5a810ff202

SHA512
04596df85dfe9f2a05b86609e3d51a6d05deb3be172ea126a49a6e6a19c3bd64c479f69b11b20151c7d6aabb2d3a0dcc3382df1a14e35545eaed8af492f6a2cc

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
467KB

MD5
ca7c61fda9791586042d83cf35e75c38

SHA1
c17537648e3eb6683eb929a4996f80eb9d278b56

SHA256
f29a982a031546e610f615a132acacae5f221348db11b34c24c17e5a810ff202

SHA512
04596df85dfe9f2a05b86609e3d51a6d05deb3be172ea126a49a6e6a19c3bd64c479f69b11b20151c7d6aabb2d3a0dcc3382df1a14e35545eaed8af492f6a2cc

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
467KB

MD5
4475e1c85be8269aea0a2f47b941f746

SHA1
e19244ae5b49202043b3dae179a0c53437963ebf

SHA256
bc022e713a4fc5802d8cf4787f4aeb0c640c13121d238ba81f2676f58957343b

SHA512
5329198a05ff9b18ac458adab16f1a3155481bb3a9b8d13bac2ebfa2632e1096aee6f516b6b8b8387955fe1b28eb09017881f4cb4c5872bf817ce7ded5707677

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
467KB

MD5
4475e1c85be8269aea0a2f47b941f746

SHA1
e19244ae5b49202043b3dae179a0c53437963ebf

SHA256
bc022e713a4fc5802d8cf4787f4aeb0c640c13121d238ba81f2676f58957343b

SHA512
5329198a05ff9b18ac458adab16f1a3155481bb3a9b8d13bac2ebfa2632e1096aee6f516b6b8b8387955fe1b28eb09017881f4cb4c5872bf817ce7ded5707677

Download Submit
C:\Windows\SysWOW64\Gdknpp32.exe

Filesize
467KB

MD5
d23b30591b1906bcaf8fed174080667d

SHA1
90d67373102c17404b086c7e200cfde98b6632e1

SHA256
b872b644e423dee65ed7eae799a13f7969ceb1857283b9308016940f72cbef4d

SHA512
8226156ffaef5b0038758597718bc134a5defa538c5516a33a0a102bca9a71fe6cd26725d251f4ec841f8abb9c3be825830cc1fdd145d80108b2bd15f32b3984

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
467KB

MD5
a2c3614e7eb612cd778fcb09a2b38c2a

SHA1
60a7e4d3bc6e0a47f4acef8f1f7e848deebcf84e

SHA256
f850d5c22a1b18be722748aa6c27ef25d71f4bdb68dac0c10403276c664319bc

SHA512
67c6d55a912cc8f7d488477f4465d714840cee4ddf8151a8f73d256341117a9ef4e94f941d7dac1d57913e57cfc1d1b6d71c4b29021ea277af6b09bd713a4c59

Download Submit
C:\Windows\SysWOW64\Jifemfcl.exe

Filesize
467KB

MD5
50447505035604cfa0b7b8358e1072a9

SHA1
8ed73d444ad4d6ea4d41abf052a0e2eeecd8e82c

SHA256
c852e0de35afffc68876a9375600f59ce3ff6b46eb41353f2509b01a301f8873

SHA512
d7e7e5d66238fa1865618ab1a87481bcdffa04fd341c82b2e5b191bf13c7c2d8cb6528155800662118a69c2b51ff0aafc359ef19e310a7cddd2b853edb1eef58

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
467KB

MD5
dc5fae17471a61383e65baadbb2429a4

SHA1
ef07710c7d5bc15c8c63ddf3f74a1b9d3920d4e0

SHA256
3d393aef30db3cad580e14b0c2331481d9e965fceed79fc32f80660a6c253908

SHA512
cb8b8d62bcbceffa583db384c687384d35c6fe33e413754d84728c5dc6e68bc27a8f34f36fb4c8bf62db43f1af6f825507cd504671b550b4b92988910872c0e5

Download Submit
memory/224-514-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/368-550-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/388-552-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/408-371-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/488-539-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/648-323-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/852-316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/960-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1020-47-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1164-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1264-483-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1268-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1304-318-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1356-489-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1580-335-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-529-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1800-122-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1868-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1880-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1936-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2124-101-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2140-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2328-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2580-422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2628-399-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2968-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3212-359-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3216-319-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3336-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3356-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3392-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3416-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3436-417-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3500-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3512-321-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3556-365-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3920-377-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3984-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4116-353-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4216-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4228-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4300-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4304-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4368-393-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4396-523-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4480-495-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4496-401-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4588-505-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4832-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4836-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4864-317-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4868-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4948-347-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4996-477-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5008-320-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5016-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5136-567-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5188-569-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-575-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5280-581-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5376-597-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/10232-5585-0x0000000076CA0000-0x0000000076CC4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads