9205f8a3ff38a8cf9314231079be0d724adaf7258702c842c8c7629b1e560cef

Analysis

max time kernel
126s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fa33181a17cf52389308ae9be5be8330.exe
Size

324KB
MD5

fa33181a17cf52389308ae9be5be8330
SHA1

ff505ae0d16be03a56ab7006963fe8b870cfd974
SHA256

9205f8a3ff38a8cf9314231079be0d724adaf7258702c842c8c7629b1e560cef
SHA512

8d994950a0a377f8c6a83358c80f753ed980a5e748d8c2e7b9c2e33695251251963f9d78163225b8d2e79ed35868bc281dfd647588095bd607b75cba67f12387
SSDEEP

6144:K5w9n+wZ3zd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:/9Dpp5IFy5BcVPINRFYpfZvTmAWqeMfe

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbiabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkjjfkcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knqepc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didqkeeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcfejfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndmpddfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koiejemn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaqphgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikbneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eegqldqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eicedn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjebpml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkgaglpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnckooob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbopm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbkeacqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfgace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odfcjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbfema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpmpkoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djpfbahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Folkjnbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbdjhlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcaeea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejiiippb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmcclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digmqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pahpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eangjkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmimai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lipmoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhghge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmonbbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nolekd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcimfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Folkjnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Necqbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahinbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikejbjip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Necqbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnknim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maiccajf.exe

Executes dropped EXE 64 IoCs

pid	Process
1636	Mkmkkjko.exe
2576	Maiccajf.exe
1620	Mcjmel32.exe
1528	Mjdebfnd.exe
3600	Nghekkmn.exe
2128	Nndjndbh.exe
3544	Nnfgcd32.exe
3540	Nccokk32.exe
60	Neclenfo.exe
1308	Nnkpnclp.exe
3884	Ohcegi32.exe
1828	Oalipoiq.exe
4684	Ojdnid32.exe
3880	Ohhnbhok.exe
4628	Oeokal32.exe
1880	Paelfmaf.exe
4776	Pknqoc32.exe
1552	Phaahggp.exe
1520	Pajeam32.exe
3344	Plpjoe32.exe
3356	Pmaffnce.exe
5104	Plbfdekd.exe
3948	Pmcclm32.exe
2668	Pkgcea32.exe
4548	Qaalblgi.exe
3984	Qachgk32.exe
4728	Qklmpalf.exe
4764	Aeaanjkl.exe
3508	Ahbjoe32.exe
4364	Anobgl32.exe
4156	Ahdged32.exe
1332	Anaomkdb.exe
3492	Akepfpcl.exe
1888	Aekddhcb.exe
3408	Akglloai.exe
4008	Baadiiif.exe
3732	Bkjiao32.exe
4528	Bnhenj32.exe
1988	Bhnikc32.exe
1296	Bklfgo32.exe
4276	Bebjdgmj.exe
2840	Bllbaa32.exe
2636	Bahkih32.exe
3188	Bhbcfbjk.exe
1588	Bomkcm32.exe
396	Bdickcpo.exe
3628	Ckclhn32.exe
3020	Cdlqqcnl.exe
4448	Coadnlnb.exe
3328	Cfkmkf32.exe
4004	Cleegp32.exe
4876	Cbbnpg32.exe
4140	Clgbmp32.exe
3084	Cbdjeg32.exe
2876	Digehphc.exe
3804	Dkfadkgf.exe
2540	Dflfac32.exe
3096	Dmennnni.exe
3992	Emhkdmlg.exe
832	Efpomccg.exe
2224	Emjgim32.exe
1344	Enkdaepb.exe
1536	Ekodjiol.exe
764	Ebimgcfi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Midoph32.exe	Mcggga32.exe
File created	C:\Windows\SysWOW64\Keimof32.exe	Kpmdfonj.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Dikgnp32.dll	Inkjfk32.exe
File created	C:\Windows\SysWOW64\Bkefphem.exe	Bhgjcmfi.exe
File created	C:\Windows\SysWOW64\Hahnld32.dll	Cbqonf32.exe
File created	C:\Windows\SysWOW64\Kgiamm32.dll	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Dmmbbodp.dll	Ajjjjghg.exe
File created	C:\Windows\SysWOW64\Ljeafb32.exe	Lmaamn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjehneg.exe	Dlcmgqdd.exe
File created	C:\Windows\SysWOW64\Inogbj32.dll	Lfgahikm.exe
File created	C:\Windows\SysWOW64\Nmlafe32.dll	Cnbfgh32.exe
File created	C:\Windows\SysWOW64\Fkgkle32.dll	Pjlnhi32.exe
File created	C:\Windows\SysWOW64\Lfjchn32.exe	Kifcnjpi.exe
File opened for modification	C:\Windows\SysWOW64\Cfkmkf32.exe	Coadnlnb.exe
File opened for modification	C:\Windows\SysWOW64\Cbbnpg32.exe	Cleegp32.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Qgehml32.exe	Qdflaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bqpbboeg.exe	Bnaffdfc.exe
File created	C:\Windows\SysWOW64\Laeojd32.dll	Dgaiffii.exe
File created	C:\Windows\SysWOW64\Lihpdj32.exe	Lfjchn32.exe
File created	C:\Windows\SysWOW64\Iqgjmg32.exe	Ijmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcqlh32.exe	Kplijk32.exe
File created	C:\Windows\SysWOW64\Hnclfaec.dll	Hikkdc32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Cnebmgjj.exe	Chkjpm32.exe
File created	C:\Windows\SysWOW64\Kcoblg32.dll	Jobfdl32.exe
File created	C:\Windows\SysWOW64\Kkkldg32.exe	Kilphk32.exe
File opened for modification	C:\Windows\SysWOW64\Akopoi32.exe	Ahpdcn32.exe
File opened for modification	C:\Windows\SysWOW64\Kiomnk32.exe	Kfpqap32.exe
File opened for modification	C:\Windows\SysWOW64\Bdickcpo.exe	Bomkcm32.exe
File created	C:\Windows\SysWOW64\Bgqoll32.dll	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Egjmiege.dll	Mklpof32.exe
File opened for modification	C:\Windows\SysWOW64\Mjfoja32.exe	Mhhcne32.exe
File opened for modification	C:\Windows\SysWOW64\Nnfgcd32.exe	Nndjndbh.exe
File opened for modification	C:\Windows\SysWOW64\Ohcegi32.exe	Nnkpnclp.exe
File created	C:\Windows\SysWOW64\Lecipbeq.dll	Iqbpahpc.exe
File opened for modification	C:\Windows\SysWOW64\Nagngjmj.exe	Nipffmmg.exe
File opened for modification	C:\Windows\SysWOW64\Pkedbmab.exe	Pgihanii.exe
File created	C:\Windows\SysWOW64\Ebimgcfi.exe	Ekodjiol.exe
File created	C:\Windows\SysWOW64\Eimelg32.exe	Eaenkj32.exe
File created	C:\Windows\SysWOW64\Kmeddp32.dll	Akglloai.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Ombcji32.exe
File created	C:\Windows\SysWOW64\Iafphi32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Lfjkngdo.dll	Dhdmfljb.exe
File created	C:\Windows\SysWOW64\Dnnoip32.exe	Dlobmd32.exe
File created	C:\Windows\SysWOW64\Akaaggld.dll	Dgfdojfm.exe
File opened for modification	C:\Windows\SysWOW64\Egmjpi32.exe	Edoncm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpkbfdi.exe	Bpfcelml.exe
File created	C:\Windows\SysWOW64\Kjlcmdbb.exe	Kgngqico.exe
File created	C:\Windows\SysWOW64\Hmkigh32.exe	Hfaajnfb.exe
File created	C:\Windows\SysWOW64\Edoncm32.exe	Emeffcid.exe
File opened for modification	C:\Windows\SysWOW64\Lpelqj32.exe	Labkempb.exe
File opened for modification	C:\Windows\SysWOW64\Pafcofcg.exe	Pjoknhbe.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Aaofedkl.exe	Ajhndgjj.exe
File created	C:\Windows\SysWOW64\Cigcjj32.exe	Capkim32.exe
File created	C:\Windows\SysWOW64\Pmhaae32.dll	Ghgeoq32.exe
File created	C:\Windows\SysWOW64\Akhkncql.dll	Dflfac32.exe
File created	C:\Windows\SysWOW64\Ioolkncg.exe	Imnocf32.exe
File opened for modification	C:\Windows\SysWOW64\Ilcldb32.exe	Igfclkdj.exe
File created	C:\Windows\SysWOW64\Mjfoja32.exe	Mhhcne32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12928	7928	WerFault.exe	777

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggaoeo32.dll"	Mdjjgggk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmepcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmpcbhji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcllmi32.dll"	Okiefn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajjjjghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Inidkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cemndbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgeadjai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejnbdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jodlof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Knifging.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdjnolfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphigedp.dll"	Ejiiippb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifhbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndmpddfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqbfaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinpdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifcben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnpbgajc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikdm32.dll"	Lfjchn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlobmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghollnfk.dll"	Engaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhgjcmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll"	Qgehml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgmki32.dll"	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmccnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nncccnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akblfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcimfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbglgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbbjg32.dll"	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phmnfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hocjaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hebkid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adqeaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libido32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfaijand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjpai32.dll"	Qnopjfgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmphdomb.dll"	Ehklmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfpkhjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdcmnfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknhkonb.dll"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Falcli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbbhka32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1636	2608	NEAS.fa33181a17cf52389308ae9be5be8330.exe	85
PID 2608 wrote to memory of 1636	2608	NEAS.fa33181a17cf52389308ae9be5be8330.exe	85
PID 2608 wrote to memory of 1636	2608	NEAS.fa33181a17cf52389308ae9be5be8330.exe	85
PID 1636 wrote to memory of 2576	1636	Mkmkkjko.exe	86
PID 1636 wrote to memory of 2576	1636	Mkmkkjko.exe	86
PID 1636 wrote to memory of 2576	1636	Mkmkkjko.exe	86
PID 2576 wrote to memory of 1620	2576	Maiccajf.exe	87
PID 2576 wrote to memory of 1620	2576	Maiccajf.exe	87
PID 2576 wrote to memory of 1620	2576	Maiccajf.exe	87
PID 1620 wrote to memory of 1528	1620	Mcjmel32.exe	88
PID 1620 wrote to memory of 1528	1620	Mcjmel32.exe	88
PID 1620 wrote to memory of 1528	1620	Mcjmel32.exe	88
PID 1528 wrote to memory of 3600	1528	Mjdebfnd.exe	90
PID 1528 wrote to memory of 3600	1528	Mjdebfnd.exe	90
PID 1528 wrote to memory of 3600	1528	Mjdebfnd.exe	90
PID 3600 wrote to memory of 2128	3600	Nghekkmn.exe	91
PID 3600 wrote to memory of 2128	3600	Nghekkmn.exe	91
PID 3600 wrote to memory of 2128	3600	Nghekkmn.exe	91
PID 2128 wrote to memory of 3544	2128	Nndjndbh.exe	92
PID 2128 wrote to memory of 3544	2128	Nndjndbh.exe	92
PID 2128 wrote to memory of 3544	2128	Nndjndbh.exe	92
PID 3544 wrote to memory of 3540	3544	Nnfgcd32.exe	93
PID 3544 wrote to memory of 3540	3544	Nnfgcd32.exe	93
PID 3544 wrote to memory of 3540	3544	Nnfgcd32.exe	93
PID 3540 wrote to memory of 60	3540	Nccokk32.exe	94
PID 3540 wrote to memory of 60	3540	Nccokk32.exe	94
PID 3540 wrote to memory of 60	3540	Nccokk32.exe	94
PID 60 wrote to memory of 1308	60	Neclenfo.exe	96
PID 60 wrote to memory of 1308	60	Neclenfo.exe	96
PID 60 wrote to memory of 1308	60	Neclenfo.exe	96
PID 1308 wrote to memory of 3884	1308	Nnkpnclp.exe	97
PID 1308 wrote to memory of 3884	1308	Nnkpnclp.exe	97
PID 1308 wrote to memory of 3884	1308	Nnkpnclp.exe	97
PID 3884 wrote to memory of 1828	3884	Ohcegi32.exe	98
PID 3884 wrote to memory of 1828	3884	Ohcegi32.exe	98
PID 3884 wrote to memory of 1828	3884	Ohcegi32.exe	98
PID 1828 wrote to memory of 4684	1828	Oalipoiq.exe	99
PID 1828 wrote to memory of 4684	1828	Oalipoiq.exe	99
PID 1828 wrote to memory of 4684	1828	Oalipoiq.exe	99
PID 4684 wrote to memory of 3880	4684	Ojdnid32.exe	100
PID 4684 wrote to memory of 3880	4684	Ojdnid32.exe	100
PID 4684 wrote to memory of 3880	4684	Ojdnid32.exe	100
PID 3880 wrote to memory of 4628	3880	Ohhnbhok.exe	101
PID 3880 wrote to memory of 4628	3880	Ohhnbhok.exe	101
PID 3880 wrote to memory of 4628	3880	Ohhnbhok.exe	101
PID 4628 wrote to memory of 1880	4628	Oeokal32.exe	103
PID 4628 wrote to memory of 1880	4628	Oeokal32.exe	103
PID 4628 wrote to memory of 1880	4628	Oeokal32.exe	103
PID 1880 wrote to memory of 4776	1880	Paelfmaf.exe	104
PID 1880 wrote to memory of 4776	1880	Paelfmaf.exe	104
PID 1880 wrote to memory of 4776	1880	Paelfmaf.exe	104
PID 4776 wrote to memory of 1552	4776	Pknqoc32.exe	105
PID 4776 wrote to memory of 1552	4776	Pknqoc32.exe	105
PID 4776 wrote to memory of 1552	4776	Pknqoc32.exe	105
PID 1552 wrote to memory of 1520	1552	Phaahggp.exe	106
PID 1552 wrote to memory of 1520	1552	Phaahggp.exe	106
PID 1552 wrote to memory of 1520	1552	Phaahggp.exe	106
PID 1520 wrote to memory of 3344	1520	Pajeam32.exe	108
PID 1520 wrote to memory of 3344	1520	Pajeam32.exe	108
PID 1520 wrote to memory of 3344	1520	Pajeam32.exe	108
PID 3344 wrote to memory of 3356	3344	Plpjoe32.exe	107
PID 3344 wrote to memory of 3356	3344	Plpjoe32.exe	107
PID 3344 wrote to memory of 3356	3344	Plpjoe32.exe	107
PID 3356 wrote to memory of 5104	3356	Pmaffnce.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.fa33181a17cf52389308ae9be5be8330.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa33181a17cf52389308ae9be5be8330.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\Mkmkkjko.exe
  C:\Windows\system32\Mkmkkjko.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Maiccajf.exe
    C:\Windows\system32\Maiccajf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\Mcjmel32.exe
      C:\Windows\system32\Mcjmel32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344

C:\Windows\SysWOW64\Pmaffnce.exe
C:\Windows\system32\Pmaffnce.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\Plbfdekd.exe
  C:\Windows\system32\Plbfdekd.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- - C:\Windows\SysWOW64\Pmcclm32.exe
    C:\Windows\system32\Pmcclm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:3948

C:\Windows\SysWOW64\Pkgcea32.exe
C:\Windows\system32\Pkgcea32.exe
1⤵
- Executes dropped EXE
PID:2668
- C:\Windows\SysWOW64\Qaalblgi.exe
  C:\Windows\system32\Qaalblgi.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- - C:\Windows\SysWOW64\Qachgk32.exe
    C:\Windows\system32\Qachgk32.exe
    3⤵
    - Executes dropped EXE
    PID:3984
  - - C:\Windows\SysWOW64\Qklmpalf.exe
      C:\Windows\system32\Qklmpalf.exe
      4⤵
      Executes dropped EXE
      PID:4728
    - - C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        5⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        6⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        7⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        9⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        10⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        11⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        13⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        14⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        15⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        16⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        17⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        18⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        20⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        21⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        23⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        24⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        27⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
- C:\Windows\SysWOW64\Dllffa32.exe
  C:\Windows\system32\Dllffa32.exe
  2⤵
  PID:8348
- - C:\Windows\SysWOW64\Dfakcj32.exe
    C:\Windows\system32\Dfakcj32.exe
    3⤵
    PID:8420
  - - C:\Windows\SysWOW64\Dgdgijhp.exe
      C:\Windows\system32\Dgdgijhp.exe
      4⤵
      PID:8460
    - - C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        5⤵
        
        PID:4708
      - C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        6⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Dgfdojfm.exe
        
        C:\Windows\system32\Dgfdojfm.exe
        7⤵
        Drops file in System32 directory
        
        PID:8560
        
        C:\Windows\SysWOW64\Didqkeeq.exe
        
        C:\Windows\system32\Didqkeeq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4872
        
        C:\Windows\SysWOW64\Dlcmgqdd.exe
        
        C:\Windows\system32\Dlcmgqdd.exe
        9⤵
        Drops file in System32 directory
        
        PID:8592
        
        C:\Windows\SysWOW64\Ddjehneg.exe
        
        C:\Windows\system32\Ddjehneg.exe
        10⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Dghadidj.exe
        
        C:\Windows\system32\Dghadidj.exe
        11⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Digmqe32.exe
        
        C:\Windows\system32\Digmqe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Eleimp32.exe
        
        C:\Windows\system32\Eleimp32.exe
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Edlann32.exe
        
        C:\Windows\system32\Edlann32.exe
        14⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Egknji32.exe
        
        C:\Windows\system32\Egknji32.exe
        15⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Eiijfd32.exe
        
        C:\Windows\system32\Eiijfd32.exe
        16⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Emeffcid.exe
        
        C:\Windows\system32\Emeffcid.exe
        17⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Edoncm32.exe
        
        C:\Windows\system32\Edoncm32.exe
        18⤵
        Drops file in System32 directory
        
        PID:9028
        
        C:\Windows\SysWOW64\Egmjpi32.exe
        
        C:\Windows\system32\Egmjpi32.exe
        19⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\Ecdkdj32.exe
        
        C:\Windows\system32\Ecdkdj32.exe
        20⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Eincadmf.exe
        
        C:\Windows\system32\Eincadmf.exe
        21⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Edcgnmml.exe
        
        C:\Windows\system32\Edcgnmml.exe
        22⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Egbdjhlp.exe
        
        C:\Windows\system32\Egbdjhlp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2976
        
        C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        24⤵
        
        PID:5032

C:\Windows\SysWOW64\Cbbnpg32.exe
C:\Windows\system32\Cbbnpg32.exe
1⤵
- Executes dropped EXE
PID:4876
- C:\Windows\SysWOW64\Clgbmp32.exe
  C:\Windows\system32\Clgbmp32.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- - C:\Windows\SysWOW64\Cbdjeg32.exe
    C:\Windows\system32\Cbdjeg32.exe
    3⤵
    - Executes dropped EXE
    PID:3084
  - - C:\Windows\SysWOW64\Digehphc.exe
      C:\Windows\system32\Digehphc.exe
      4⤵
      Executes dropped EXE
      PID:2876
    - - C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        5⤵
        Executes dropped EXE
        
        PID:3804
      - C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        7⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        8⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        9⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        10⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        11⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        13⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3388
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        15⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        16⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        17⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        18⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        19⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        20⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        21⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        22⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        23⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        25⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        26⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        27⤵
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        28⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        29⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        30⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        31⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        32⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        33⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        34⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        35⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        36⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        37⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        38⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        39⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        41⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        42⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        43⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        44⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        45⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        47⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        48⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        51⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        52⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        53⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        54⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        55⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        56⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        57⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        58⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        59⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        60⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        61⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        62⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        63⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        64⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        65⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        66⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        67⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        68⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        69⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        70⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        71⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        72⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        73⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        74⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        76⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        77⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        78⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        79⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        81⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        82⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        83⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        84⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        85⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        86⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        87⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        88⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        89⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        90⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        92⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        93⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        94⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        95⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        96⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        97⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        98⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        99⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        100⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        101⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        102⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        103⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        104⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        105⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        106⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        107⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        108⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        109⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        110⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        111⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        112⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        113⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        114⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        115⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        116⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        117⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        118⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        120⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        121⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        122⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        123⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        124⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        125⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        126⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        127⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        128⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        129⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        131⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        133⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        134⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        135⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        136⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        137⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        138⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        140⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        141⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        142⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        143⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        144⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        145⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        146⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        147⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        148⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        149⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        150⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        151⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        152⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7600
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        154⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        155⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        156⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        158⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        159⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        160⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        161⤵
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        162⤵
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        156⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        157⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Nipffmmg.exe
        
        C:\Windows\system32\Nipffmmg.exe
        136⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Nagngjmj.exe
        
        C:\Windows\system32\Nagngjmj.exe
        137⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Mmdlflki.exe
        
        C:\Windows\system32\Mmdlflki.exe
        120⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Mdodbf32.exe
        
        C:\Windows\system32\Mdodbf32.exe
        121⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        122⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Mdcmnfop.exe
        
        C:\Windows\system32\Mdcmnfop.exe
        123⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nfaijand.exe
        
        C:\Windows\system32\Nfaijand.exe
        124⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Kggjghkd.exe
        
        C:\Windows\system32\Kggjghkd.exe
        113⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Ljffccjh.exe
        
        C:\Windows\system32\Ljffccjh.exe
        114⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        115⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Bghddp32.exe
        
        C:\Windows\system32\Bghddp32.exe
        73⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Bihancje.exe
        
        C:\Windows\system32\Bihancje.exe
        74⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Bgmnooom.exe
        
        C:\Windows\system32\Bgmnooom.exe
        75⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        76⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Bfpkbfdi.exe
        
        C:\Windows\system32\Bfpkbfdi.exe
        77⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Ciogobcm.exe
        
        C:\Windows\system32\Ciogobcm.exe
        78⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Clmckmcq.exe
        
        C:\Windows\system32\Clmckmcq.exe
        79⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cbglgg32.exe
        
        C:\Windows\system32\Cbglgg32.exe
        80⤵
        Modifies registry class
        
        PID:8632
        
        C:\Windows\SysWOW64\Ciaddaaj.exe
        
        C:\Windows\system32\Ciaddaaj.exe
        81⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        82⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Cnnllhpa.exe
        
        C:\Windows\system32\Cnnllhpa.exe
        83⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Cehdib32.exe
        
        C:\Windows\system32\Cehdib32.exe
        84⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Cpmifkgd.exe
        
        C:\Windows\system32\Cpmifkgd.exe
        85⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Cfgace32.exe
        
        C:\Windows\system32\Cfgace32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Cifmoa32.exe
        
        C:\Windows\system32\Cifmoa32.exe
        87⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Cldjkl32.exe
        
        C:\Windows\system32\Cldjkl32.exe
        88⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Cnbfgh32.exe
        
        C:\Windows\system32\Cnbfgh32.exe
        89⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        90⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        91⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Chkjpm32.exe
        
        C:\Windows\system32\Chkjpm32.exe
        92⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        93⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Cbqonf32.exe
        
        C:\Windows\system32\Cbqonf32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Dijgjpip.exe
        
        C:\Windows\system32\Dijgjpip.exe
        95⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        96⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dpdogj32.exe
        
        C:\Windows\system32\Dpdogj32.exe
        97⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        98⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        99⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Dhpdkm32.exe
        
        C:\Windows\system32\Dhpdkm32.exe
        100⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Dpglmjoj.exe
        
        C:\Windows\system32\Dpglmjoj.exe
        101⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Dbehienn.exe
        
        C:\Windows\system32\Dbehienn.exe
        102⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Diopep32.exe
        
        C:\Windows\system32\Diopep32.exe
        103⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Dpihbjmg.exe
        
        C:\Windows\system32\Dpihbjmg.exe
        104⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Dfcqod32.exe
        
        C:\Windows\system32\Dfcqod32.exe
        105⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Defajqko.exe
        
        C:\Windows\system32\Defajqko.exe
        106⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Dhdmfljb.exe
        
        C:\Windows\system32\Dhdmfljb.exe
        107⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Jmdjha32.exe
        
        C:\Windows\system32\Jmdjha32.exe
        108⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Jobfdl32.exe
        
        C:\Windows\system32\Jobfdl32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Nonbqd32.exe
        
        C:\Windows\system32\Nonbqd32.exe
        69⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Nhffijdm.exe
        
        C:\Windows\system32\Nhffijdm.exe
        70⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Nockkcjg.exe
        
        C:\Windows\system32\Nockkcjg.exe
        71⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Noehac32.exe
        
        C:\Windows\system32\Noehac32.exe
        72⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Odbpij32.exe
        
        C:\Windows\system32\Odbpij32.exe
        73⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Onjebpml.exe
        
        C:\Windows\system32\Onjebpml.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2884
        
        C:\Windows\SysWOW64\Ohpiphlb.exe
        
        C:\Windows\system32\Ohpiphlb.exe
        75⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        76⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Oolnabal.exe
        
        C:\Windows\system32\Oolnabal.exe
        77⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Oggbfdog.exe
        
        C:\Windows\system32\Oggbfdog.exe
        78⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ofhcdlgg.exe
        
        C:\Windows\system32\Ofhcdlgg.exe
        79⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ogjpld32.exe
        
        C:\Windows\system32\Ogjpld32.exe
        80⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Pndhhnda.exe
        
        C:\Windows\system32\Pndhhnda.exe
        81⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Qomghp32.exe
        
        C:\Windows\system32\Qomghp32.exe
        30⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Qnbdjl32.exe
        
        C:\Windows\system32\Qnbdjl32.exe
        31⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        8⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        9⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Adbkmo32.exe
        
        C:\Windows\system32\Adbkmo32.exe
        10⤵
        
        PID:9812

C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
1⤵
PID:8052
- C:\Windows\SysWOW64\Dgeenfog.exe
  C:\Windows\system32\Dgeenfog.exe
  2⤵
  PID:8096
- - C:\Windows\SysWOW64\Dolmodpi.exe
    C:\Windows\system32\Dolmodpi.exe
    3⤵
    PID:8136
  - - C:\Windows\SysWOW64\Dakikoom.exe
      C:\Windows\system32\Dakikoom.exe
      4⤵
      PID:8176
    - - C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        5⤵
        
        PID:7204
      - C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        6⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        7⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        8⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        9⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        10⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        11⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        12⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        13⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        14⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        15⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        16⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        17⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        18⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        19⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        20⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        21⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        22⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        23⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        24⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        25⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        26⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        27⤵
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        28⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        29⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7656
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        31⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        32⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        33⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        34⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Jcfejfag.exe
        
        C:\Windows\system32\Jcfejfag.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11832
        
        C:\Windows\SysWOW64\Jfdafa32.exe
        
        C:\Windows\system32\Jfdafa32.exe
        27⤵
        
        PID:11968

C:\Windows\SysWOW64\Koimbpbc.exe
C:\Windows\system32\Koimbpbc.exe
1⤵
PID:8132
- C:\Windows\SysWOW64\Kdffjgpj.exe
  C:\Windows\system32\Kdffjgpj.exe
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\Kajfdk32.exe
    C:\Windows\system32\Kajfdk32.exe
    3⤵
    PID:7448
  - - C:\Windows\SysWOW64\Khfkfedn.exe
      C:\Windows\system32\Khfkfedn.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:7728
    - - C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        6⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        7⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        8⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        9⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        10⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4636
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        12⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7952
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        14⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        15⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        16⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        17⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        18⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        19⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        20⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        21⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        22⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        23⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        24⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        25⤵
        Modifies registry class
        
        PID:8616
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        26⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        28⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        29⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        30⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        31⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        32⤵
        Modifies registry class
        
        PID:8944
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        33⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        34⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        35⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        36⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        37⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        38⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        39⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        40⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        41⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        42⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        43⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        44⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        45⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        46⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        47⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        48⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        49⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        50⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        51⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        52⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        53⤵
        Modifies registry class
        
        PID:8836
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        54⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        55⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        56⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        57⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        58⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        59⤵
        Modifies registry class
        
        PID:9180
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        60⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        61⤵
        Modifies registry class
        
        PID:8228
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        62⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        63⤵
        
        PID:2668

C:\Windows\SysWOW64\Edfddl32.exe
C:\Windows\system32\Edfddl32.exe
1⤵
PID:8300
- C:\Windows\SysWOW64\Eegqldqg.exe
  C:\Windows\system32\Eegqldqg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:8344
- - C:\Windows\SysWOW64\Fnnimbaj.exe
    C:\Windows\system32\Fnnimbaj.exe
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\Fdjnolfd.exe
      C:\Windows\system32\Fdjnolfd.exe
      4⤵
      Modifies registry class
      PID:1000
    - - C:\Windows\SysWOW64\Feljgd32.exe
        
        C:\Windows\system32\Feljgd32.exe
        5⤵
        
        PID:8508
      - C:\Windows\SysWOW64\Flfbcndo.exe
        
        C:\Windows\system32\Flfbcndo.exe
        6⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Fneoma32.exe
        
        C:\Windows\system32\Fneoma32.exe
        7⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Ffpcbchm.exe
        
        C:\Windows\system32\Ffpcbchm.exe
        8⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Fljlom32.exe
        
        C:\Windows\system32\Fljlom32.exe
        9⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Fdadpk32.exe
        
        C:\Windows\system32\Fdadpk32.exe
        10⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Gjnlha32.exe
        
        C:\Windows\system32\Gjnlha32.exe
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Gddqejni.exe
        
        C:\Windows\system32\Gddqejni.exe
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Gfemmb32.exe
        
        C:\Windows\system32\Gfemmb32.exe
        13⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Gloejmld.exe
        
        C:\Windows\system32\Gloejmld.exe
        14⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9076
        
        C:\Windows\SysWOW64\Gckjlf32.exe
        
        C:\Windows\system32\Gckjlf32.exe
        16⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Gnckooob.exe
        
        C:\Windows\system32\Gnckooob.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2540
        
        C:\Windows\SysWOW64\Hjjldpdf.exe
        
        C:\Windows\system32\Hjjldpdf.exe
        18⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Hcbpme32.exe
        
        C:\Windows\system32\Hcbpme32.exe
        19⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Hfamia32.exe
        
        C:\Windows\system32\Hfamia32.exe
        20⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Hnhdjn32.exe
        
        C:\Windows\system32\Hnhdjn32.exe
        21⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Hqfqfj32.exe
        
        C:\Windows\system32\Hqfqfj32.exe
        22⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Hddilh32.exe
        
        C:\Windows\system32\Hddilh32.exe
        23⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Hfefdpfe.exe
        
        C:\Windows\system32\Hfefdpfe.exe
        24⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Hmpnqj32.exe
        
        C:\Windows\system32\Hmpnqj32.exe
        25⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Hclccd32.exe
        
        C:\Windows\system32\Hclccd32.exe
        26⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Icnphd32.exe
        
        C:\Windows\system32\Icnphd32.exe
        27⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Incdem32.exe
        
        C:\Windows\system32\Incdem32.exe
        28⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Iqbpahpc.exe
        
        C:\Windows\system32\Iqbpahpc.exe
        29⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Ijmapm32.exe
        
        C:\Windows\system32\Ijmapm32.exe
        30⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Iqgjmg32.exe
        
        C:\Windows\system32\Iqgjmg32.exe
        31⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Igqbiacj.exe
        
        C:\Windows\system32\Igqbiacj.exe
        32⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ifcben32.exe
        
        C:\Windows\system32\Ifcben32.exe
        33⤵
        Modifies registry class
        
        PID:8980
        
        C:\Windows\SysWOW64\Inkjfk32.exe
        
        C:\Windows\system32\Inkjfk32.exe
        34⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Iaifbg32.exe
        
        C:\Windows\system32\Iaifbg32.exe
        35⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Iedbcebd.exe
        
        C:\Windows\system32\Iedbcebd.exe
        36⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Jmpgghoo.exe
        
        C:\Windows\system32\Jmpgghoo.exe
        37⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Jfhlpnfp.exe
        
        C:\Windows\system32\Jfhlpnfp.exe
        38⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Jnocakfb.exe
        
        C:\Windows\system32\Jnocakfb.exe
        39⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Jghhjq32.exe
        
        C:\Windows\system32\Jghhjq32.exe
        40⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Jnapgjdo.exe
        
        C:\Windows\system32\Jnapgjdo.exe
        41⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Jcoioabf.exe
        
        C:\Windows\system32\Jcoioabf.exe
        42⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8272
        
        C:\Windows\SysWOW64\Kccbjq32.exe
        
        C:\Windows\system32\Kccbjq32.exe
        44⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        45⤵
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        46⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Kdjhkp32.exe
        
        C:\Windows\system32\Kdjhkp32.exe
        47⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Kfidgk32.exe
        
        C:\Windows\system32\Kfidgk32.exe
        48⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Kanidd32.exe
        
        C:\Windows\system32\Kanidd32.exe
        49⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        50⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Kmeiie32.exe
        
        C:\Windows\system32\Kmeiie32.exe
        51⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Ljijci32.exe
        
        C:\Windows\system32\Ljijci32.exe
        52⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lacbpccn.exe
        
        C:\Windows\system32\Lacbpccn.exe
        53⤵
        
        PID:3120

C:\Windows\SysWOW64\Lfpkhjae.exe
C:\Windows\system32\Lfpkhjae.exe
1⤵
- Modifies registry class
PID:6080
- C:\Windows\SysWOW64\Lhogamih.exe
  C:\Windows\system32\Lhogamih.exe
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\Ljncnhhk.exe
    C:\Windows\system32\Ljncnhhk.exe
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\Lfgahikm.exe
      C:\Windows\system32\Lfgahikm.exe
      4⤵
      Drops file in System32 directory
      PID:2792
    - - C:\Windows\SysWOW64\Malefbkc.exe
        
        C:\Windows\system32\Malefbkc.exe
        5⤵
        
        PID:5972
      - C:\Windows\SysWOW64\Mmebpbod.exe
        
        C:\Windows\system32\Mmebpbod.exe
        6⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Mhkgnkoj.exe
        
        C:\Windows\system32\Mhkgnkoj.exe
        7⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mmhofbma.exe
        
        C:\Windows\system32\Mmhofbma.exe
        8⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Meoggpmd.exe
        
        C:\Windows\system32\Meoggpmd.exe
        9⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Mklpof32.exe
        
        C:\Windows\system32\Mklpof32.exe
        10⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Moglpedd.exe
        
        C:\Windows\system32\Moglpedd.exe
        11⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mdddhlbl.exe
        
        C:\Windows\system32\Mdddhlbl.exe
        12⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mgbpdgap.exe
        
        C:\Windows\system32\Mgbpdgap.exe
        13⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Moiheebb.exe
        
        C:\Windows\system32\Moiheebb.exe
        14⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Necqbo32.exe
        
        C:\Windows\system32\Necqbo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        16⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Nolekd32.exe
        
        C:\Windows\system32\Nolekd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Ndinck32.exe
        
        C:\Windows\system32\Ndinck32.exe
        18⤵
        
        PID:5424

C:\Windows\SysWOW64\Philfgdh.exe
C:\Windows\system32\Philfgdh.exe
1⤵
PID:4140
- C:\Windows\SysWOW64\Pnfdnnbo.exe
  C:\Windows\system32\Pnfdnnbo.exe
  2⤵
  PID:6312
- - C:\Windows\SysWOW64\Pbdmdlie.exe
    C:\Windows\system32\Pbdmdlie.exe
    3⤵
    PID:6440
  - - C:\Windows\SysWOW64\Pdbiphhi.exe
      C:\Windows\system32\Pdbiphhi.exe
      4⤵
      PID:6408
    - - C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
      - C:\Windows\SysWOW64\Pkonbamc.exe
        
        C:\Windows\system32\Pkonbamc.exe
        6⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Phbolflm.exe
        
        C:\Windows\system32\Phbolflm.exe
        7⤵
        
        PID:1644

C:\Windows\SysWOW64\Qhghge32.exe
C:\Windows\system32\Qhghge32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212
- C:\Windows\SysWOW64\Abpmpkoh.exe
  C:\Windows\system32\Abpmpkoh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5904
- - C:\Windows\SysWOW64\Aijeme32.exe
    C:\Windows\system32\Aijeme32.exe
    3⤵
    PID:5420
  - - C:\Windows\SysWOW64\Adqeaf32.exe
      C:\Windows\system32\Adqeaf32.exe
      4⤵
      Modifies registry class
      PID:6400
    - - C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        5⤵
        
        PID:5820

C:\Windows\SysWOW64\Bbklli32.exe
C:\Windows\system32\Bbklli32.exe
1⤵
PID:5916

C:\Windows\SysWOW64\Jcnbekok.exe
C:\Windows\system32\Jcnbekok.exe
1⤵
PID:8068
- C:\Windows\SysWOW64\Jflnafno.exe
  C:\Windows\system32\Jflnafno.exe
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\Jikjmbmb.exe
    C:\Windows\system32\Jikjmbmb.exe
    3⤵
    PID:4592
  - - C:\Windows\SysWOW64\Jqbbno32.exe
      C:\Windows\system32\Jqbbno32.exe
      4⤵
      PID:8188

C:\Windows\SysWOW64\Jcpojk32.exe
C:\Windows\system32\Jcpojk32.exe
1⤵
PID:7236
- C:\Windows\SysWOW64\Jfokff32.exe
  C:\Windows\system32\Jfokff32.exe
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\Jjjggede.exe
    C:\Windows\system32\Jjjggede.exe
    3⤵
    PID:2656

C:\Windows\SysWOW64\Kmhccpci.exe
C:\Windows\system32\Kmhccpci.exe
1⤵
PID:5912
- C:\Windows\SysWOW64\Kpgoolbl.exe
  C:\Windows\system32\Kpgoolbl.exe
  2⤵
  PID:7708

C:\Windows\SysWOW64\Kgngqico.exe
C:\Windows\system32\Kgngqico.exe
1⤵
- Drops file in System32 directory
PID:5348
- C:\Windows\SysWOW64\Kjlcmdbb.exe
  C:\Windows\system32\Kjlcmdbb.exe
  2⤵
  PID:6968
- - C:\Windows\SysWOW64\Kiodha32.exe
    C:\Windows\system32\Kiodha32.exe
    3⤵
    PID:7912

C:\Windows\SysWOW64\Kaflio32.exe
C:\Windows\system32\Kaflio32.exe
1⤵
PID:6480
- C:\Windows\SysWOW64\Kcehejic.exe
  C:\Windows\system32\Kcehejic.exe
  2⤵
  PID:8052
- - C:\Windows\SysWOW64\Kfcdaehf.exe
    C:\Windows\system32\Kfcdaehf.exe
    3⤵
    PID:8396

C:\Windows\SysWOW64\Kiaqnagj.exe
C:\Windows\system32\Kiaqnagj.exe
1⤵
PID:7520
- C:\Windows\SysWOW64\Kmmmnp32.exe
  C:\Windows\system32\Kmmmnp32.exe
  2⤵
  PID:7648

C:\Windows\SysWOW64\Kplijk32.exe
C:\Windows\system32\Kplijk32.exe
1⤵
- Drops file in System32 directory
PID:7552
- C:\Windows\SysWOW64\Kgcqlh32.exe
  C:\Windows\system32\Kgcqlh32.exe
  2⤵
  PID:7616
- - C:\Windows\SysWOW64\Kjamhd32.exe
    C:\Windows\system32\Kjamhd32.exe
    3⤵
    PID:6164

C:\Windows\SysWOW64\Kmpido32.exe
C:\Windows\system32\Kmpido32.exe
1⤵
PID:7872
- C:\Windows\SysWOW64\Kakednfj.exe
  C:\Windows\system32\Kakednfj.exe
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\Kgemahmg.exe
    C:\Windows\system32\Kgemahmg.exe
    3⤵
    PID:5648
  - - C:\Windows\SysWOW64\Kjcjmclj.exe
      C:\Windows\system32\Kjcjmclj.exe
      4⤵
      PID:6432

C:\Windows\SysWOW64\Lapopm32.exe
C:\Windows\system32\Lapopm32.exe
1⤵
PID:6540
- C:\Windows\SysWOW64\Lcnkli32.exe
  C:\Windows\system32\Lcnkli32.exe
  2⤵
  PID:6836

C:\Windows\SysWOW64\Lfmghdpl.exe
C:\Windows\system32\Lfmghdpl.exe
1⤵
PID:7052
- C:\Windows\SysWOW64\Likcdpop.exe
  C:\Windows\system32\Likcdpop.exe
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\Labkempb.exe
    C:\Windows\system32\Labkempb.exe
    3⤵
    - Drops file in System32 directory
    PID:6604

C:\Windows\SysWOW64\Lpelqj32.exe
C:\Windows\system32\Lpelqj32.exe
1⤵
PID:4856
- C:\Windows\SysWOW64\Lglcag32.exe
  C:\Windows\system32\Lglcag32.exe
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\Ljjpnb32.exe
    C:\Windows\system32\Ljjpnb32.exe
    3⤵
    PID:8024

C:\Windows\SysWOW64\Lmiljn32.exe
C:\Windows\system32\Lmiljn32.exe
1⤵
PID:4356
- C:\Windows\SysWOW64\Lccdghmc.exe
  C:\Windows\system32\Lccdghmc.exe
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\Lfaqcclf.exe
    C:\Windows\system32\Lfaqcclf.exe
    3⤵
    PID:7224

C:\Windows\SysWOW64\Lipmoo32.exe
C:\Windows\system32\Lipmoo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6852
- C:\Windows\SysWOW64\Lagepl32.exe
  C:\Windows\system32\Lagepl32.exe
  2⤵
  PID:7572
- - C:\Windows\SysWOW64\Lpjelibg.exe
    C:\Windows\system32\Lpjelibg.exe
    3⤵
    PID:7120

C:\Windows\SysWOW64\Lhammfci.exe
C:\Windows\system32\Lhammfci.exe
1⤵
PID:7932
- C:\Windows\SysWOW64\Libido32.exe
  C:\Windows\system32\Libido32.exe
  2⤵
  - Modifies registry class
  PID:1768
- - C:\Windows\SysWOW64\Laiafl32.exe
    C:\Windows\system32\Laiafl32.exe
    3⤵
    PID:8100

C:\Windows\SysWOW64\Lplaaiqd.exe
C:\Windows\system32\Lplaaiqd.exe
1⤵
PID:2172
- C:\Windows\SysWOW64\Mffjnc32.exe
  C:\Windows\system32\Mffjnc32.exe
  2⤵
  PID:8492

C:\Windows\SysWOW64\Mjafoapj.exe
C:\Windows\system32\Mjafoapj.exe
1⤵
PID:7072
- C:\Windows\SysWOW64\Malnklgg.exe
  C:\Windows\system32\Malnklgg.exe
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\Mdjjgggk.exe
    C:\Windows\system32\Mdjjgggk.exe
    3⤵
    - Modifies registry class
    PID:6356
  - - C:\Windows\SysWOW64\Mfhgcbfo.exe
      C:\Windows\system32\Mfhgcbfo.exe
      4⤵
      PID:2012

C:\Windows\SysWOW64\Mmbopm32.exe
C:\Windows\system32\Mmbopm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984
- C:\Windows\SysWOW64\Mhhcne32.exe
  C:\Windows\system32\Mhhcne32.exe
  2⤵
  - Drops file in System32 directory
  PID:1888
- - C:\Windows\SysWOW64\Mjfoja32.exe
    C:\Windows\system32\Mjfoja32.exe
    3⤵
    PID:6948

C:\Windows\SysWOW64\Npjnbg32.exe
C:\Windows\system32\Npjnbg32.exe
1⤵
PID:6800
- C:\Windows\SysWOW64\Nhafcd32.exe
  C:\Windows\system32\Nhafcd32.exe
  2⤵
  PID:6160
- - C:\Windows\SysWOW64\Nkpbpp32.exe
    C:\Windows\system32\Nkpbpp32.exe
    3⤵
    PID:7688

C:\Windows\SysWOW64\Ndhgie32.exe
C:\Windows\system32\Ndhgie32.exe
1⤵
PID:6580
- C:\Windows\SysWOW64\Nffceq32.exe
  C:\Windows\system32\Nffceq32.exe
  2⤵
  PID:8752
- - C:\Windows\SysWOW64\Nieoal32.exe
    C:\Windows\system32\Nieoal32.exe
    3⤵
    PID:7212

C:\Windows\SysWOW64\Npognfpo.exe
C:\Windows\system32\Npognfpo.exe
1⤵
PID:6196
- C:\Windows\SysWOW64\Nhfoocaa.exe
  C:\Windows\system32\Nhfoocaa.exe
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\Nkdlkope.exe
    C:\Windows\system32\Nkdlkope.exe
    3⤵
    PID:392

C:\Windows\SysWOW64\Nmbhgjoi.exe
C:\Windows\system32\Nmbhgjoi.exe
1⤵
PID:6472
- C:\Windows\SysWOW64\Ndmpddfe.exe
  C:\Windows\system32\Ndmpddfe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:8096
- - C:\Windows\SysWOW64\Nhhldc32.exe
    C:\Windows\system32\Nhhldc32.exe
    3⤵
    PID:7816

C:\Windows\SysWOW64\Niihlkdm.exe
C:\Windows\system32\Niihlkdm.exe
1⤵
PID:6444
- C:\Windows\SysWOW64\Naqqmieo.exe
  C:\Windows\system32\Naqqmieo.exe
  2⤵
  PID:6000

C:\Windows\SysWOW64\Ndomiddc.exe
C:\Windows\system32\Ndomiddc.exe
1⤵
PID:4256
- C:\Windows\SysWOW64\Ohkijc32.exe
  C:\Windows\system32\Ohkijc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6436
- - C:\Windows\SysWOW64\Okiefn32.exe
    C:\Windows\system32\Okiefn32.exe
    3⤵
    - Modifies registry class
    PID:2736

C:\Windows\SysWOW64\Omgabj32.exe
C:\Windows\system32\Omgabj32.exe
1⤵
PID:2928
- C:\Windows\SysWOW64\Oacmchcl.exe
  C:\Windows\system32\Oacmchcl.exe
  2⤵
  PID:7128
- - C:\Windows\SysWOW64\Ohmepbki.exe
    C:\Windows\system32\Ohmepbki.exe
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\Okkalnjm.exe
      C:\Windows\system32\Okkalnjm.exe
      4⤵
      PID:6192
    - - C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        5⤵
        Drops file in System32 directory
        
        PID:7256
      - C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        6⤵
        
        PID:4300

C:\Windows\SysWOW64\Ohobebig.exe
C:\Windows\system32\Ohobebig.exe
1⤵
PID:228
- C:\Windows\SysWOW64\Oiqomj32.exe
  C:\Windows\system32\Oiqomj32.exe
  2⤵
  PID:3524

C:\Windows\SysWOW64\Oahgnh32.exe
C:\Windows\system32\Oahgnh32.exe
1⤵
PID:5676
- C:\Windows\SysWOW64\Odfcjc32.exe
  C:\Windows\system32\Odfcjc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6740
- - C:\Windows\SysWOW64\Ogdofo32.exe
    C:\Windows\system32\Ogdofo32.exe
    3⤵
    PID:5152
  - - C:\Windows\SysWOW64\Onngci32.exe
      C:\Windows\system32\Onngci32.exe
      4⤵
      PID:7064

C:\Windows\SysWOW64\Opmcod32.exe
C:\Windows\system32\Opmcod32.exe
1⤵
PID:7692
- C:\Windows\SysWOW64\Ohdlpa32.exe
  C:\Windows\system32\Ohdlpa32.exe
  2⤵
  PID:9252

C:\Windows\SysWOW64\Oggllnkl.exe
C:\Windows\system32\Oggllnkl.exe
1⤵
PID:9300
- C:\Windows\SysWOW64\Oiehhjjp.exe
  C:\Windows\system32\Oiehhjjp.exe
  2⤵
  PID:9344
- - C:\Windows\SysWOW64\Oalpigkb.exe
    C:\Windows\system32\Oalpigkb.exe
    3⤵
    PID:9384

C:\Windows\SysWOW64\Pkedbmab.exe
C:\Windows\system32\Pkedbmab.exe
1⤵
PID:9476
- C:\Windows\SysWOW64\Pncanhaf.exe
  C:\Windows\system32\Pncanhaf.exe
  2⤵
  PID:9520
- - C:\Windows\SysWOW64\Ppamjcpj.exe
    C:\Windows\system32\Ppamjcpj.exe
    3⤵
    PID:9564

C:\Windows\SysWOW64\Phiekaql.exe
C:\Windows\system32\Phiekaql.exe
1⤵
PID:9604
- C:\Windows\SysWOW64\Pkgaglpp.exe
  C:\Windows\system32\Pkgaglpp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:9644
- - C:\Windows\SysWOW64\Pnenchoc.exe
    C:\Windows\system32\Pnenchoc.exe
    3⤵
    PID:9688

C:\Windows\SysWOW64\Ppdjpcng.exe
C:\Windows\system32\Ppdjpcng.exe
1⤵
PID:9728
- C:\Windows\SysWOW64\Phkaqqoi.exe
  C:\Windows\system32\Phkaqqoi.exe
  2⤵
  PID:9764

C:\Windows\SysWOW64\Pgnblm32.exe
C:\Windows\system32\Pgnblm32.exe
1⤵
PID:9804
- C:\Windows\SysWOW64\Pjlnhi32.exe
  C:\Windows\system32\Pjlnhi32.exe
  2⤵
  - Drops file in System32 directory
  PID:9844
- - C:\Windows\SysWOW64\Pacfjfej.exe
    C:\Windows\system32\Pacfjfej.exe
    3⤵
    PID:9880

C:\Windows\SysWOW64\Ppffec32.exe
C:\Windows\system32\Ppffec32.exe
1⤵
PID:9916
- C:\Windows\SysWOW64\Phmnfp32.exe
  C:\Windows\system32\Phmnfp32.exe
  2⤵
  - Modifies registry class
  PID:9952

C:\Windows\SysWOW64\Pklkbl32.exe
C:\Windows\system32\Pklkbl32.exe
1⤵
- Modifies registry class
PID:9988
- C:\Windows\SysWOW64\Pjoknhbe.exe
  C:\Windows\system32\Pjoknhbe.exe
  2⤵
  - Drops file in System32 directory
  PID:10024

C:\Windows\SysWOW64\Pafcofcg.exe
C:\Windows\system32\Pafcofcg.exe
1⤵
PID:10060
- C:\Windows\SysWOW64\Pddokabk.exe
  C:\Windows\system32\Pddokabk.exe
  2⤵
  PID:10100
- - C:\Windows\SysWOW64\Phpklp32.exe
    C:\Windows\system32\Phpklp32.exe
    3⤵
    PID:10144

C:\Windows\SysWOW64\Pknghk32.exe
C:\Windows\system32\Pknghk32.exe
1⤵
PID:10192
- C:\Windows\SysWOW64\Pnlcdg32.exe
  C:\Windows\system32\Pnlcdg32.exe
  2⤵
  PID:10236
- - C:\Windows\SysWOW64\Pahpee32.exe
    C:\Windows\system32\Pahpee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9248
  - - C:\Windows\SysWOW64\Qdflaa32.exe
      C:\Windows\system32\Qdflaa32.exe
      4⤵
      Drops file in System32 directory
      PID:9336

C:\Windows\SysWOW64\Qgehml32.exe
C:\Windows\system32\Qgehml32.exe
1⤵
- Modifies registry class
PID:7536
- C:\Windows\SysWOW64\Qjcdih32.exe
  C:\Windows\system32\Qjcdih32.exe
  2⤵
  PID:9448

C:\Windows\SysWOW64\Qnopjfgi.exe
C:\Windows\system32\Qnopjfgi.exe
1⤵
- Modifies registry class
PID:9532
- C:\Windows\SysWOW64\Qpmmfbfl.exe
  C:\Windows\system32\Qpmmfbfl.exe
  2⤵
  PID:9592

C:\Windows\SysWOW64\Qhddgofo.exe
C:\Windows\system32\Qhddgofo.exe
1⤵
- Modifies registry class
PID:9620
- C:\Windows\SysWOW64\Qggebl32.exe
  C:\Windows\system32\Qggebl32.exe
  2⤵
  PID:9716
- - C:\Windows\SysWOW64\Qjeaog32.exe
    C:\Windows\system32\Qjeaog32.exe
    3⤵
    PID:9796

C:\Windows\SysWOW64\Aamipe32.exe
C:\Windows\system32\Aamipe32.exe
1⤵
PID:9872
- C:\Windows\SysWOW64\Aqpika32.exe
  C:\Windows\system32\Aqpika32.exe
  2⤵
  PID:9940

C:\Windows\SysWOW64\Ahgamo32.exe
C:\Windows\system32\Ahgamo32.exe
1⤵
PID:10008
- C:\Windows\SysWOW64\Akenij32.exe
  C:\Windows\system32\Akenij32.exe
  2⤵
  PID:10092

C:\Windows\SysWOW64\Ajhndgjj.exe
C:\Windows\system32\Ajhndgjj.exe
1⤵
- Drops file in System32 directory
PID:10156
- C:\Windows\SysWOW64\Aaofedkl.exe
  C:\Windows\system32\Aaofedkl.exe
  2⤵
  PID:10216

C:\Windows\SysWOW64\Ahinbo32.exe
C:\Windows\system32\Ahinbo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9392
- C:\Windows\SysWOW64\Akgjnj32.exe
  C:\Windows\system32\Akgjnj32.exe
  2⤵
  PID:9512

C:\Windows\SysWOW64\Ajjjjghg.exe
C:\Windows\system32\Ajjjjghg.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:9636
- C:\Windows\SysWOW64\Anffje32.exe
  C:\Windows\system32\Anffje32.exe
  2⤵
  PID:9724

C:\Windows\SysWOW64\Aqdbfa32.exe
C:\Windows\system32\Aqdbfa32.exe
1⤵
PID:9824
- C:\Windows\SysWOW64\Ahkkhnpg.exe
  C:\Windows\system32\Ahkkhnpg.exe
  2⤵
  PID:9976

C:\Windows\SysWOW64\Agnkck32.exe
C:\Windows\system32\Agnkck32.exe
1⤵
PID:10124
- C:\Windows\SysWOW64\Ajmgof32.exe
  C:\Windows\system32\Ajmgof32.exe
  2⤵
  PID:3096

C:\Windows\SysWOW64\Agqhik32.exe
C:\Windows\system32\Agqhik32.exe
1⤵
PID:10044
- C:\Windows\SysWOW64\Aklciimh.exe
  C:\Windows\system32\Aklciimh.exe
  2⤵
  PID:10180

C:\Windows\SysWOW64\Anjpeelk.exe
C:\Windows\system32\Anjpeelk.exe
1⤵
PID:9528
- C:\Windows\SysWOW64\Addhbo32.exe
  C:\Windows\system32\Addhbo32.exe
  2⤵
  - Modifies registry class
  PID:9792
- - C:\Windows\SysWOW64\Ahpdcn32.exe
    C:\Windows\system32\Ahpdcn32.exe
    3⤵
    - Drops file in System32 directory
    PID:10200

C:\Windows\SysWOW64\Akopoi32.exe
C:\Windows\system32\Akopoi32.exe
1⤵
PID:9696
- C:\Windows\SysWOW64\Anmmkd32.exe
  C:\Windows\system32\Anmmkd32.exe
  2⤵
  PID:7560

C:\Windows\SysWOW64\Bqkigp32.exe
C:\Windows\system32\Bqkigp32.exe
1⤵
PID:10140
- C:\Windows\SysWOW64\Bhbahm32.exe
  C:\Windows\system32\Bhbahm32.exe
  2⤵
  PID:10244
- - C:\Windows\SysWOW64\Bgeadjai.exe
    C:\Windows\system32\Bgeadjai.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:10284

C:\Windows\SysWOW64\Bjcmpepm.exe
C:\Windows\system32\Bjcmpepm.exe
1⤵
PID:10320
- C:\Windows\SysWOW64\Bbkeacqo.exe
  C:\Windows\system32\Bbkeacqo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:10360

C:\Windows\SysWOW64\Bdiamnpc.exe
C:\Windows\system32\Bdiamnpc.exe
1⤵
PID:10404
- C:\Windows\SysWOW64\Bggnijof.exe
  C:\Windows\system32\Bggnijof.exe
  2⤵
  PID:10440

C:\Windows\SysWOW64\Bkcjjhgp.exe
C:\Windows\system32\Bkcjjhgp.exe
1⤵
PID:10476
- C:\Windows\SysWOW64\Bnaffdfc.exe
  C:\Windows\system32\Bnaffdfc.exe
  2⤵
  - Drops file in System32 directory
  PID:10524
- - C:\Windows\SysWOW64\Bqpbboeg.exe
    C:\Windows\system32\Bqpbboeg.exe
    3⤵
    PID:10564

C:\Windows\SysWOW64\Bhgjcmfi.exe
C:\Windows\system32\Bhgjcmfi.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:10604
- C:\Windows\SysWOW64\Bkefphem.exe
  C:\Windows\system32\Bkefphem.exe
  2⤵
  PID:10652

C:\Windows\SysWOW64\Bjhgke32.exe
C:\Windows\system32\Bjhgke32.exe
1⤵
PID:10688
- C:\Windows\SysWOW64\Bbpolb32.exe
  C:\Windows\system32\Bbpolb32.exe
  2⤵
  PID:10736

C:\Windows\SysWOW64\Bdnkhn32.exe
C:\Windows\system32\Bdnkhn32.exe
1⤵
PID:10776
- C:\Windows\SysWOW64\Bglgdi32.exe
  C:\Windows\system32\Bglgdi32.exe
  2⤵
  PID:10812
- - C:\Windows\SysWOW64\Bkhceh32.exe
    C:\Windows\system32\Bkhceh32.exe
    3⤵
    PID:10856
  - - C:\Windows\SysWOW64\Bdphnmjk.exe
      C:\Windows\system32\Bdphnmjk.exe
      4⤵
      PID:10900
    - - C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        5⤵
        
        PID:10944

C:\Windows\SysWOW64\Bjmpfdhb.exe
C:\Windows\system32\Bjmpfdhb.exe
1⤵
PID:10988
- C:\Windows\SysWOW64\Cnhlgc32.exe
  C:\Windows\system32\Cnhlgc32.exe
  2⤵
  PID:11024

C:\Windows\SysWOW64\Cqghcn32.exe
C:\Windows\system32\Cqghcn32.exe
1⤵
PID:11068
- C:\Windows\SysWOW64\Cinpdl32.exe
  C:\Windows\system32\Cinpdl32.exe
  2⤵
  - Modifies registry class
  PID:11112
- - C:\Windows\SysWOW64\Cgaqphgl.exe
    C:\Windows\system32\Cgaqphgl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:11148

C:\Windows\SysWOW64\Cjomldfp.exe
C:\Windows\system32\Cjomldfp.exe
1⤵
PID:11192
- C:\Windows\SysWOW64\Cbfema32.exe
  C:\Windows\system32\Cbfema32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:11232
- - C:\Windows\SysWOW64\Ciqmjkno.exe
    C:\Windows\system32\Ciqmjkno.exe
    3⤵
    PID:9468

C:\Windows\SysWOW64\Cgcmeh32.exe
C:\Windows\system32\Cgcmeh32.exe
1⤵
PID:10312
- C:\Windows\SysWOW64\Cjaiac32.exe
  C:\Windows\system32\Cjaiac32.exe
  2⤵
  - Modifies registry class
  PID:10368
- - C:\Windows\SysWOW64\Cbiabq32.exe
    C:\Windows\system32\Cbiabq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:10436

C:\Windows\SysWOW64\Cegnol32.exe
C:\Windows\system32\Cegnol32.exe
1⤵
PID:10512
- C:\Windows\SysWOW64\Cicjokll.exe
  C:\Windows\system32\Cicjokll.exe
  2⤵
  PID:10548

C:\Windows\SysWOW64\Ckafkfkp.exe
C:\Windows\system32\Ckafkfkp.exe
1⤵
PID:10648
- C:\Windows\SysWOW64\Cnpbgajc.exe
  C:\Windows\system32\Cnpbgajc.exe
  2⤵
  - Modifies registry class
  PID:10716
- - C:\Windows\SysWOW64\Canocm32.exe
    C:\Windows\system32\Canocm32.exe
    3⤵
    PID:10760

C:\Windows\SysWOW64\Ciefek32.exe
C:\Windows\system32\Ciefek32.exe
1⤵
PID:10836
- C:\Windows\SysWOW64\Ckcbaf32.exe
  C:\Windows\system32\Ckcbaf32.exe
  2⤵
  PID:10888

C:\Windows\SysWOW64\Cnboma32.exe
C:\Windows\system32\Cnboma32.exe
1⤵
PID:10952
- C:\Windows\SysWOW64\Capkim32.exe
  C:\Windows\system32\Capkim32.exe
  2⤵
  - Drops file in System32 directory
  PID:11016
- - C:\Windows\SysWOW64\Cigcjj32.exe
    C:\Windows\system32\Cigcjj32.exe
    3⤵
    PID:11008

C:\Windows\SysWOW64\Ckfofe32.exe
C:\Windows\system32\Ckfofe32.exe
1⤵
PID:11144
- C:\Windows\SysWOW64\Djipbbne.exe
  C:\Windows\system32\Djipbbne.exe
  2⤵
  PID:10252
- - C:\Windows\SysWOW64\Dlkiaece.exe
    C:\Windows\system32\Dlkiaece.exe
    3⤵
    PID:10400
  - - C:\Windows\SysWOW64\Dioiki32.exe
      C:\Windows\system32\Dioiki32.exe
      4⤵
      PID:10516

C:\Windows\SysWOW64\Dgaiffii.exe
C:\Windows\system32\Dgaiffii.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:10640
- C:\Windows\SysWOW64\Djpfbahm.exe
  C:\Windows\system32\Djpfbahm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:10772

C:\Windows\SysWOW64\Dbgndoho.exe
C:\Windows\system32\Dbgndoho.exe
1⤵
PID:10864
- C:\Windows\SysWOW64\Deejpjgc.exe
  C:\Windows\system32\Deejpjgc.exe
  2⤵
  PID:10996

C:\Windows\SysWOW64\Dlobmd32.exe
C:\Windows\system32\Dlobmd32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:11096
- C:\Windows\SysWOW64\Dnnoip32.exe
  C:\Windows\system32\Dnnoip32.exe
  2⤵
  PID:11200
- - C:\Windows\SysWOW64\Dehgejep.exe
    C:\Windows\system32\Dehgejep.exe
    3⤵
    PID:10492
  - - C:\Windows\SysWOW64\Eangjkkd.exe
      C:\Windows\system32\Eangjkkd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:10700
    - - C:\Windows\SysWOW64\Eaqdpjia.exe
        
        C:\Windows\system32\Eaqdpjia.exe
        5⤵
        
        PID:10808

C:\Windows\SysWOW64\Eelpqi32.exe
C:\Windows\system32\Eelpqi32.exe
1⤵
PID:11160
- C:\Windows\SysWOW64\Ehklmd32.exe
  C:\Windows\system32\Ehklmd32.exe
  2⤵
  - Modifies registry class
  PID:10384

C:\Windows\SysWOW64\Ejiiippb.exe
C:\Windows\system32\Ejiiippb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:10756
- C:\Windows\SysWOW64\Ebpqjmpd.exe
  C:\Windows\system32\Ebpqjmpd.exe
  2⤵
  PID:11060
- - C:\Windows\SysWOW64\Eeomfioh.exe
    C:\Windows\system32\Eeomfioh.exe
    3⤵
    PID:10428

C:\Windows\SysWOW64\Ehmibdol.exe
C:\Windows\system32\Ehmibdol.exe
1⤵
PID:10868
- C:\Windows\SysWOW64\Eliecc32.exe
  C:\Windows\system32\Eliecc32.exe
  2⤵
  PID:10280

C:\Windows\SysWOW64\Engaon32.exe
C:\Windows\system32\Engaon32.exe
1⤵
- Modifies registry class
PID:11184
- C:\Windows\SysWOW64\Eaenkj32.exe
  C:\Windows\system32\Eaenkj32.exe
  2⤵
  - Drops file in System32 directory
  PID:11268

C:\Windows\SysWOW64\Eimelg32.exe
C:\Windows\system32\Eimelg32.exe
1⤵
PID:11312
- C:\Windows\SysWOW64\Ehofhdli.exe
  C:\Windows\system32\Ehofhdli.exe
  2⤵
  PID:11360

C:\Windows\SysWOW64\Ejnbdp32.exe
C:\Windows\system32\Ejnbdp32.exe
1⤵
- Modifies registry class
PID:11404
- C:\Windows\SysWOW64\Ebejem32.exe
  C:\Windows\system32\Ebejem32.exe
  2⤵
  PID:11444
- - C:\Windows\SysWOW64\Eecfah32.exe
    C:\Windows\system32\Eecfah32.exe
    3⤵
    PID:11484

C:\Windows\SysWOW64\Flmonbbp.exe
C:\Windows\system32\Flmonbbp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11572
- C:\Windows\SysWOW64\Folkjnbc.exe
  C:\Windows\system32\Folkjnbc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:11616
- - C:\Windows\SysWOW64\Fajgfiag.exe
    C:\Windows\system32\Fajgfiag.exe
    3⤵
    PID:11656

C:\Windows\SysWOW64\Fiaogfai.exe
C:\Windows\system32\Fiaogfai.exe
1⤵
PID:11696
- C:\Windows\SysWOW64\Fhdocc32.exe
  C:\Windows\system32\Fhdocc32.exe
  2⤵
  PID:11744
- - C:\Windows\SysWOW64\Falcli32.exe
    C:\Windows\system32\Falcli32.exe
    3⤵
    - Modifies registry class
    PID:11792

C:\Windows\SysWOW64\Ficlmf32.exe
C:\Windows\system32\Ficlmf32.exe
1⤵
PID:11836
- C:\Windows\SysWOW64\Flbhia32.exe
  C:\Windows\system32\Flbhia32.exe
  2⤵
  PID:11884

C:\Windows\SysWOW64\Faopah32.exe
C:\Windows\system32\Faopah32.exe
1⤵
PID:11928
- C:\Windows\SysWOW64\Fifhbf32.exe
  C:\Windows\system32\Fifhbf32.exe
  2⤵
  - Modifies registry class
  PID:11976

C:\Windows\SysWOW64\Fkgejncb.exe
C:\Windows\system32\Fkgejncb.exe
1⤵
PID:12020
- C:\Windows\SysWOW64\Fbnmkk32.exe
  C:\Windows\system32\Fbnmkk32.exe
  2⤵
  PID:12072

C:\Windows\SysWOW64\Femigg32.exe
C:\Windows\system32\Femigg32.exe
1⤵
PID:12116
- C:\Windows\SysWOW64\Fhkecb32.exe
  C:\Windows\system32\Fhkecb32.exe
  2⤵
  PID:12156

C:\Windows\SysWOW64\Feofmf32.exe
C:\Windows\system32\Feofmf32.exe
1⤵
PID:12252
- C:\Windows\SysWOW64\Gikbneio.exe
  C:\Windows\system32\Gikbneio.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:10932

C:\Windows\SysWOW64\Glkkop32.exe
C:\Windows\system32\Glkkop32.exe
1⤵
PID:11492
- C:\Windows\SysWOW64\Gojgkl32.exe
  C:\Windows\system32\Gojgkl32.exe
  2⤵
  PID:11520

C:\Windows\SysWOW64\Gahcgg32.exe
C:\Windows\system32\Gahcgg32.exe
1⤵
PID:11608
- C:\Windows\SysWOW64\Gedohfmp.exe
  C:\Windows\system32\Gedohfmp.exe
  2⤵
  PID:11688
- - C:\Windows\SysWOW64\Ghbkdald.exe
    C:\Windows\system32\Ghbkdald.exe
    3⤵
    PID:7384

C:\Windows\SysWOW64\Gkqhpmkg.exe
C:\Windows\system32\Gkqhpmkg.exe
1⤵
PID:11776
- C:\Windows\SysWOW64\Ghdhja32.exe
  C:\Windows\system32\Ghdhja32.exe
  2⤵
  PID:11876
- - C:\Windows\SysWOW64\Glpdjpbj.exe
    C:\Windows\system32\Glpdjpbj.exe
    3⤵
    PID:11920

C:\Windows\SysWOW64\Ghgeoq32.exe
C:\Windows\system32\Ghgeoq32.exe
1⤵
- Drops file in System32 directory
PID:11960
- C:\Windows\SysWOW64\Gkeakl32.exe
  C:\Windows\system32\Gkeakl32.exe
  2⤵
  PID:12028

C:\Windows\SysWOW64\Gekeie32.exe
C:\Windows\system32\Gekeie32.exe
1⤵
PID:12144
- C:\Windows\SysWOW64\Hocjaj32.exe
  C:\Windows\system32\Hocjaj32.exe
  2⤵
  - Modifies registry class
  PID:12180
- - C:\Windows\SysWOW64\Hembndee.exe
    C:\Windows\system32\Hembndee.exe
    3⤵
    PID:12280
  - - C:\Windows\SysWOW64\Hkjjfkcm.exe
      C:\Windows\system32\Hkjjfkcm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:11308
    - - C:\Windows\SysWOW64\Hadcce32.exe
        
        C:\Windows\system32\Hadcce32.exe
        5⤵
        
        PID:11440
      - C:\Windows\SysWOW64\Hikkdc32.exe
        
        C:\Windows\system32\Hikkdc32.exe
        6⤵
        Drops file in System32 directory
        
        PID:11504

C:\Windows\SysWOW64\Hklglk32.exe
C:\Windows\system32\Hklglk32.exe
1⤵
PID:11580
- C:\Windows\SysWOW64\Hccomh32.exe
  C:\Windows\system32\Hccomh32.exe
  2⤵
  PID:11684

C:\Windows\SysWOW64\Hebkid32.exe
C:\Windows\system32\Hebkid32.exe
1⤵
- Modifies registry class
PID:11756
- C:\Windows\SysWOW64\Hllcfnhm.exe
  C:\Windows\system32\Hllcfnhm.exe
  2⤵
  PID:11820
- - C:\Windows\SysWOW64\Hojpbigq.exe
    C:\Windows\system32\Hojpbigq.exe
    3⤵
    PID:7924

C:\Windows\SysWOW64\Hipdpbgf.exe
C:\Windows\system32\Hipdpbgf.exe
1⤵
PID:7524
- C:\Windows\SysWOW64\Hlnqln32.exe
  C:\Windows\system32\Hlnqln32.exe
  2⤵
  PID:12136
- - C:\Windows\SysWOW64\Hommhi32.exe
    C:\Windows\system32\Hommhi32.exe
    3⤵
    PID:3028

C:\Windows\SysWOW64\Iefedcmk.exe
C:\Windows\system32\Iefedcmk.exe
1⤵
PID:10704
- C:\Windows\SysWOW64\Iibaeb32.exe
  C:\Windows\system32\Iibaeb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:11392
- - C:\Windows\SysWOW64\Ilqmam32.exe
    C:\Windows\system32\Ilqmam32.exe
    3⤵
    PID:11476

C:\Windows\SysWOW64\Iooimi32.exe
C:\Windows\system32\Iooimi32.exe
1⤵
PID:3316
- C:\Windows\SysWOW64\Iameid32.exe
  C:\Windows\system32\Iameid32.exe
  2⤵
  PID:11728

C:\Windows\SysWOW64\Ieiajckh.exe
C:\Windows\system32\Ieiajckh.exe
1⤵
PID:11780
- C:\Windows\SysWOW64\Ihgnfnjl.exe
  C:\Windows\system32\Ihgnfnjl.exe
  2⤵
  PID:11892
- - C:\Windows\SysWOW64\Ikejbjip.exe
    C:\Windows\system32\Ikejbjip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:12008

C:\Windows\SysWOW64\Ihjjln32.exe
C:\Windows\system32\Ihjjln32.exe
1⤵
PID:12196
- C:\Windows\SysWOW64\Icooig32.exe
  C:\Windows\system32\Icooig32.exe
  2⤵
  PID:11304
- - C:\Windows\SysWOW64\Ifnkeb32.exe
    C:\Windows\system32\Ifnkeb32.exe
    3⤵
    PID:11612

C:\Windows\SysWOW64\Ilgcblnp.exe
C:\Windows\system32\Ilgcblnp.exe
1⤵
PID:11736
- C:\Windows\SysWOW64\Iofpnhmc.exe
  C:\Windows\system32\Iofpnhmc.exe
  2⤵
  PID:11908
- - C:\Windows\SysWOW64\Ijkdkq32.exe
    C:\Windows\system32\Ijkdkq32.exe
    3⤵
    PID:12016

C:\Windows\SysWOW64\Iljpgl32.exe
C:\Windows\system32\Iljpgl32.exe
1⤵
PID:12128
- C:\Windows\SysWOW64\Ikmpcicg.exe
  C:\Windows\system32\Ikmpcicg.exe
  2⤵
  PID:12260
- - C:\Windows\SysWOW64\Jbghpc32.exe
    C:\Windows\system32\Jbghpc32.exe
    3⤵
    PID:8156

C:\Windows\SysWOW64\Jjpmfpid.exe
C:\Windows\system32\Jjpmfpid.exe
1⤵
PID:7176
- C:\Windows\SysWOW64\Jomeoggk.exe
  C:\Windows\system32\Jomeoggk.exe
  2⤵
  PID:11336

C:\Windows\SysWOW64\Jjbjlpga.exe
C:\Windows\system32\Jjbjlpga.exe
1⤵
PID:11472
- C:\Windows\SysWOW64\Jlafhkfe.exe
  C:\Windows\system32\Jlafhkfe.exe
  2⤵
  PID:7528

C:\Windows\SysWOW64\Jjefao32.exe
C:\Windows\system32\Jjefao32.exe
1⤵
PID:2580
- C:\Windows\SysWOW64\Jmccnk32.exe
  C:\Windows\system32\Jmccnk32.exe
  2⤵
  - Modifies registry class
  PID:7732

C:\Windows\SysWOW64\Joaojf32.exe
C:\Windows\system32\Joaojf32.exe
1⤵
PID:8016
- C:\Windows\SysWOW64\Jflgfpkc.exe
  C:\Windows\system32\Jflgfpkc.exe
  2⤵
  PID:11340
- - C:\Windows\SysWOW64\Jjgcgo32.exe
    C:\Windows\system32\Jjgcgo32.exe
    3⤵
    PID:11964

C:\Windows\SysWOW64\Jmepcj32.exe
C:\Windows\system32\Jmepcj32.exe
1⤵
- Modifies registry class
PID:7804
- C:\Windows\SysWOW64\Jodlof32.exe
  C:\Windows\system32\Jodlof32.exe
  2⤵
  - Modifies registry class
  PID:3936

C:\Windows\SysWOW64\Kjipmoai.exe
C:\Windows\system32\Kjipmoai.exe
1⤵
PID:12104
- C:\Windows\SysWOW64\Kilphk32.exe
  C:\Windows\system32\Kilphk32.exe
  2⤵
  - Drops file in System32 directory
  PID:12296

C:\Windows\SysWOW64\Kfpqap32.exe
C:\Windows\system32\Kfpqap32.exe
1⤵
- Drops file in System32 directory
PID:12424
- C:\Windows\SysWOW64\Kiomnk32.exe
  C:\Windows\system32\Kiomnk32.exe
  2⤵
  PID:12472

C:\Windows\SysWOW64\Koiejemn.exe
C:\Windows\system32\Koiejemn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:12516
- C:\Windows\SysWOW64\Kbgafqla.exe
  C:\Windows\system32\Kbgafqla.exe
  2⤵
  PID:12572
- - C:\Windows\SysWOW64\Kiajck32.exe
    C:\Windows\system32\Kiajck32.exe
    3⤵
    PID:12616
  - - C:\Windows\SysWOW64\Kkofofbb.exe
      C:\Windows\system32\Kkofofbb.exe
      4⤵
      PID:12664

C:\Windows\SysWOW64\Kcfnqccd.exe
C:\Windows\system32\Kcfnqccd.exe
1⤵
PID:12700
- C:\Windows\SysWOW64\Kjqfmn32.exe
  C:\Windows\system32\Kjqfmn32.exe
  2⤵
  PID:12748
- - C:\Windows\SysWOW64\Kmobii32.exe
    C:\Windows\system32\Kmobii32.exe
    3⤵
    PID:12784

C:\Windows\SysWOW64\Kifcnjpi.exe
C:\Windows\system32\Kifcnjpi.exe
1⤵
- Drops file in System32 directory
PID:12884
- C:\Windows\SysWOW64\Lfjchn32.exe
  C:\Windows\system32\Lfjchn32.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:12940
- - C:\Windows\SysWOW64\Lihpdj32.exe
    C:\Windows\system32\Lihpdj32.exe
    3⤵
    PID:12988

C:\Windows\SysWOW64\Lcndab32.exe
C:\Windows\system32\Lcndab32.exe
1⤵
PID:13036
- C:\Windows\SysWOW64\Lflpmn32.exe
  C:\Windows\system32\Lflpmn32.exe
  2⤵
  PID:13080
- - C:\Windows\SysWOW64\Lkiiee32.exe
    C:\Windows\system32\Lkiiee32.exe
    3⤵
    PID:13120

C:\Windows\SysWOW64\Lbcabo32.exe
C:\Windows\system32\Lbcabo32.exe
1⤵
PID:13168
- C:\Windows\SysWOW64\Ljjicl32.exe
  C:\Windows\system32\Ljjicl32.exe
  2⤵
  PID:13212

C:\Windows\SysWOW64\Lbenho32.exe
C:\Windows\system32\Lbenho32.exe
1⤵
PID:13308
- C:\Windows\SysWOW64\Ljleil32.exe
  C:\Windows\system32\Ljleil32.exe
  2⤵
  PID:12356

C:\Windows\SysWOW64\Lmkbeg32.exe
C:\Windows\system32\Lmkbeg32.exe
1⤵
PID:12432
- C:\Windows\SysWOW64\Ljoboloa.exe
  C:\Windows\system32\Ljoboloa.exe
  2⤵
  PID:12460
- - C:\Windows\SysWOW64\Mcggga32.exe
    C:\Windows\system32\Mcggga32.exe
    3⤵
    - Drops file in System32 directory
    PID:12560
  - - C:\Windows\SysWOW64\Midoph32.exe
      C:\Windows\system32\Midoph32.exe
      4⤵
      PID:12672
    - - C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        5⤵
        
        PID:7928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 416
        6⤵
        Program crash
        
        PID:12928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7928 -ip 7928
1⤵
PID:12856

C:\Windows\SysWOW64\Lkkekdhe.exe
C:\Windows\system32\Lkkekdhe.exe
1⤵
PID:13260

C:\Windows\SysWOW64\Kfggbope.exe
C:\Windows\system32\Kfggbope.exe
1⤵
PID:12840

C:\Windows\SysWOW64\Kcbded32.exe
C:\Windows\system32\Kcbded32.exe
1⤵
PID:12372

C:\Windows\SysWOW64\Kkkldg32.exe
C:\Windows\system32\Kkkldg32.exe
1⤵
PID:12332

C:\Windows\SysWOW64\Kbbhka32.exe
C:\Windows\system32\Kbbhka32.exe
1⤵
- Modifies registry class
PID:11972

C:\Windows\SysWOW64\Joobdfei.exe
C:\Windows\system32\Joobdfei.exe
1⤵
PID:12216

C:\Windows\SysWOW64\Jllmml32.exe
C:\Windows\system32\Jllmml32.exe
1⤵
PID:8092

C:\Windows\SysWOW64\Icmbcg32.exe
C:\Windows\system32\Icmbcg32.exe
1⤵
PID:12112

C:\Windows\SysWOW64\Hahlnefd.exe
C:\Windows\system32\Hahlnefd.exe
1⤵
PID:492

C:\Windows\SysWOW64\Gaoihfoo.exe
C:\Windows\system32\Gaoihfoo.exe
1⤵
PID:12124

C:\Windows\SysWOW64\Gaffbg32.exe
C:\Windows\system32\Gaffbg32.exe
1⤵
PID:11388

C:\Windows\SysWOW64\Glinjqhb.exe
C:\Windows\system32\Glinjqhb.exe
1⤵
PID:11320

C:\Windows\SysWOW64\Fbqiak32.exe
C:\Windows\system32\Fbqiak32.exe
1⤵
PID:12204

C:\Windows\SysWOW64\Fhbbmc32.exe
C:\Windows\system32\Fhbbmc32.exe
1⤵
PID:11524

C:\Windows\SysWOW64\Aqbfaa32.exe
C:\Windows\system32\Aqbfaa32.exe
1⤵
- Modifies registry class
PID:9308

C:\Windows\SysWOW64\Pgihanii.exe
C:\Windows\system32\Pgihanii.exe
1⤵
- Drops file in System32 directory
PID:9428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aciihh32.dll

Filesize
7KB

MD5
3da3b9fc8c7338c230c9246b12661527

SHA1
b1337700bb32755dc27426c5280cf6d447815cfe

SHA256
49be17ef29de5458b694bfea44c9126cae5f5b368167c297720379ef90495d27

SHA512
8c2894cf5e91dd4929430f80b8d96ec3abb8b6c0c95b5b4c0937a358ecb2afd58cc72c95ffad7a6a27acd0f91b47c9466c2bc1e0ba4522726fc6bb69d0593958

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
324KB

MD5
0d3433f6fa5888462a6e2ba0b6263aef

SHA1
c36cddf843174317a29c64819649b28617bbebe0

SHA256
89ffe390cda5ae1b28658c7e89aac9a4ed94fa4254ba1f16a97301ab3c55e874

SHA512
fca9e94332d0a4dd463ddb61f687c8e1c8d232b0bae03d0a4ba1abb82a7022be3f6a2ac1d4663a3fa9d4fb62cf27d253bce733b1c62ee94e48363378b8742d41

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
324KB

MD5
0d3433f6fa5888462a6e2ba0b6263aef

SHA1
c36cddf843174317a29c64819649b28617bbebe0

SHA256
89ffe390cda5ae1b28658c7e89aac9a4ed94fa4254ba1f16a97301ab3c55e874

SHA512
fca9e94332d0a4dd463ddb61f687c8e1c8d232b0bae03d0a4ba1abb82a7022be3f6a2ac1d4663a3fa9d4fb62cf27d253bce733b1c62ee94e48363378b8742d41

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
324KB

MD5
4302d88a4a2d2378891e786ac714735b

SHA1
f09dd60ad3edf33198c3043c3ca93b817d67daa6

SHA256
de6bda91d5b0e1358bbc3a8ab899b192d9da4af46ee497cecbb09bff53e97f77

SHA512
afe90c96bb507a41fff5a6cce5eb26ced1010ae947e88658f0bbf75a794e6422cb958cfc3143982c0dc56e0d631005d6948796b9d6bde88b6a43e9cc07b035d4

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
324KB

MD5
4302d88a4a2d2378891e786ac714735b

SHA1
f09dd60ad3edf33198c3043c3ca93b817d67daa6

SHA256
de6bda91d5b0e1358bbc3a8ab899b192d9da4af46ee497cecbb09bff53e97f77

SHA512
afe90c96bb507a41fff5a6cce5eb26ced1010ae947e88658f0bbf75a794e6422cb958cfc3143982c0dc56e0d631005d6948796b9d6bde88b6a43e9cc07b035d4

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
324KB

MD5
d4bf94a72f15477a87ed176451deede4

SHA1
7bdcf7caf4d0b68e06e8b33fb0d28ce39ff4ef3c

SHA256
5aed0e4c13bb3d92a97359e000a18c89467f652def747688a462932130a08108

SHA512
1d46af443720862ff4dafe56eea0b74665efd46ceca6d8c106e82147518b0cac65b4bab50b132a471fcbd9271ff1c7c72ec460e394f10b6925dd15d869c242f9

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
324KB

MD5
d4bf94a72f15477a87ed176451deede4

SHA1
7bdcf7caf4d0b68e06e8b33fb0d28ce39ff4ef3c

SHA256
5aed0e4c13bb3d92a97359e000a18c89467f652def747688a462932130a08108

SHA512
1d46af443720862ff4dafe56eea0b74665efd46ceca6d8c106e82147518b0cac65b4bab50b132a471fcbd9271ff1c7c72ec460e394f10b6925dd15d869c242f9

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
324KB

MD5
a669c1ae52c7158485772635c140f19e

SHA1
26f12b67c53398fc61077ccefd5f803b615bf0a6

SHA256
63522051f67392e51e55cab31107c5a7813c3ec66bd95da7a0c0175ae8d5557a

SHA512
e3f2f2ad6a60a2061947a03c542c5176e07ca3cba13cb7ca4e418e7317e57629debec1964b364567e6d78619b17c5a1aa56622b8e8a49e8d1d1e74a0d04956e1

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
324KB

MD5
a669c1ae52c7158485772635c140f19e

SHA1
26f12b67c53398fc61077ccefd5f803b615bf0a6

SHA256
63522051f67392e51e55cab31107c5a7813c3ec66bd95da7a0c0175ae8d5557a

SHA512
e3f2f2ad6a60a2061947a03c542c5176e07ca3cba13cb7ca4e418e7317e57629debec1964b364567e6d78619b17c5a1aa56622b8e8a49e8d1d1e74a0d04956e1

Download Submit
C:\Windows\SysWOW64\Anffje32.exe

Filesize
324KB

MD5
5606773cb5c85de36788e83a1edb93d0

SHA1
2da6a259ed2b1327d8ab6bc4a76011ff1a58b23d

SHA256
587fa72fc528d54c824893c09220367e6c9ef15166a324b096ab5e61a4dce8ca

SHA512
9ad52429924ab3b9056afb40034a49168ec4823366b1afd0df79977af867ece01edbb5f1cc71e8fc89d14dc3b34405c07e4c9bedf30c93edfcde7264718bebac

Download Submit
C:\Windows\SysWOW64\Anobgl32.exe

Filesize
324KB

MD5
d979a9df6064002b00a74c94380918e3

SHA1
dd212652ae6f51afcb01be94beedc7eb1e9cb243

SHA256
25d325e03828970af83931a6255a46eafcb2377b99013eb39fefdeb2e37809eb

SHA512
ff4bcb626ba24f8f7bb01781f5a6ffc5a43c6e36b6afb4e605c1043a2030536d6c1030e3dff8c73050dc6dda262d0755d6784d2ffbe29973eddf34203babf4b3

Download Submit
C:\Windows\SysWOW64\Anobgl32.exe

Filesize
324KB

MD5
d979a9df6064002b00a74c94380918e3

SHA1
dd212652ae6f51afcb01be94beedc7eb1e9cb243

SHA256
25d325e03828970af83931a6255a46eafcb2377b99013eb39fefdeb2e37809eb

SHA512
ff4bcb626ba24f8f7bb01781f5a6ffc5a43c6e36b6afb4e605c1043a2030536d6c1030e3dff8c73050dc6dda262d0755d6784d2ffbe29973eddf34203babf4b3

Download Submit
C:\Windows\SysWOW64\Aqbfaa32.exe

Filesize
324KB

MD5
05d58f4e482b711ff4427244f006d032

SHA1
b5be737e2f254775335f6a962fbd3d40a377c4d6

SHA256
6aa684af1ac6484e7023d6fe985299975c5ccb67e17f35b43cd23e6b841c8626

SHA512
b2bccf04b11604388c03b1989436dbfa9109a40d996ee12d593d633569d7c83a9c5b71c4a981b402ba2928f9bc8d858dea5df4c4e38675caa99764a283f82972

Download Submit
C:\Windows\SysWOW64\Bhbcfbjk.exe

Filesize
324KB

MD5
e1600ad3a28db605723e0a7dee2d40ec

SHA1
b3cb300f7e222fc0b2a244d6ccaa89e742669ca1

SHA256
4864fe9169c2b7099178586d8000d69e6590278ecbcc4cc2cda1816fef944f3c

SHA512
425ea4f92f7b1b51b726c0d9b2a18f2caac25814e3245238295e41fd3f97a0897704f4c89dda2ba56c0cf744680c452aceb9fb3aab0b9540d63aebf47d99d920

Download Submit
C:\Windows\SysWOW64\Capkim32.exe

Filesize
324KB

MD5
116a51886ae36ce3451f7f2bff9240a0

SHA1
4bdbc11127594e2ecf5fa3ea54e91b9c8495f08a

SHA256
88608443890a8d2c038498042f14ba11ad0e53b26259c37186de2baa0d112664

SHA512
3a1faae2bb546b3b53796da843d7e5a69689e190a36449129ef192450e3c325a6833b9d84dccac224884b1174d0b29dba8567bbf0d9e2ee3cbb2e561f06b1eef

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
324KB

MD5
64b99031683067f87b2702d7f334b2cd

SHA1
854b596f257029f9b90af93293ec55e85a469596

SHA256
5776c7b02949bcb470cf9a2f651f04cf591718171e9e38a34840ef3676157fe2

SHA512
f87dd36bbf012f43d97e2eaea92ed7b2d531b5ed31dd95e283b15d1b773dbd8aaa7491a2f9b743de33a512a57d0b025ffd0826a11b974847d0b7b3d0bc8e682c

Download Submit
C:\Windows\SysWOW64\Dlkiaece.exe

Filesize
324KB

MD5
77d8bdec2e1a5be10851de65965d811d

SHA1
c50a0451325237ad99a5bdd48ddbea762da1c947

SHA256
2d96383b25b1c465d07d46fa6468a8c4ac3e53d7d2be0ec3d9747078ef5e8ee5

SHA512
1590cc64c6b4a4115f2f167a61a35c2fe1ce344512aa1b22540bbdb279b1444db90629446b28585b6051ab799c7cbdc18b8e1da76043eb82b7f54997e69288b7

Download Submit
C:\Windows\SysWOW64\Eangjkkd.exe

Filesize
324KB

MD5
cc38d0945ccc9872b1bf329621b53c7c

SHA1
d1593d1f5cc621487f4a8d5063f5e8fc3e13a429

SHA256
1862e0354493c78d64ed5f64e1284281b13a7479e19002faedce62ff009e016a

SHA512
0bb488b33cebd570f52611e573fb263280cb356b36443a70335ddc05c191daa0b25dad18b9dc97a503e824574ccc66b3d44ba6b46de53aa31fb5a5511b65c2d5

Download Submit
C:\Windows\SysWOW64\Eelpqi32.exe

Filesize
324KB

MD5
dfbdc42a5348198eb46f60f2039af200

SHA1
70af28b948571166fd6e924de0d6c02949cf6c93

SHA256
33f483ee649ab7fc80fce332e95b7d2c42655ab4e2d7b6f8762846084f42c318

SHA512
0ac27121c6d75e862e82aa44ba8aad3e5cabe3c6341bd460b408aeaf5332bbd5bdbabb1a9aaca6a5a3a38c0fc1e1cb47e6795d6104a9d3fbb7ea1f4a6671274d

Download Submit
C:\Windows\SysWOW64\Ehofhdli.exe

Filesize
324KB

MD5
17cb15192dae6b09c2cc29fecb802fd3

SHA1
223e971280b3e30415ce69655e154c749cccbac3

SHA256
3fec5ecb569d2fd825d7aaaca0677009262f075a89ee3a5b2d4108f591c7fd28

SHA512
1ee18fdd1e16966a5ae1b00768dc5d6f39afbc6e0ff0ded880805385f4b13695e2982d88eac6132327c16feed949f0aeade81f7bb7462ca2b4969ef96f5fe991

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
324KB

MD5
b5a8c4c11235b72d93dbd9d03599c27a

SHA1
586b0c334a95b4fcd15d6f639bfc58614ff185e2

SHA256
a35515a9bb0c322bd0923da65795ea02e1f5aadad7d49e9b1c26ce1e7acde367

SHA512
aff79b3c8ca3d9d60f11be999127f79061a8f707ed0b38eae88f6ad070542ccf381be1970e96895caa1e32ce75f7ff85126d3e9a54ddb43b42787dda240c9de3

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
324KB

MD5
6d200d7ccb7e0e0a28bb81299b6d26ba

SHA1
de1f84a30957d8e56500f52141955084c037d587

SHA256
9a869d5776aa26ab95ecc04f4b89bccf74f5379806d7f06cd7f29b896093dc22

SHA512
4eedca8a86cf29e5b44db89a1b2aa3823dfaff4a4cc161c00ed7c27adb23557fab1e674237adbc1396b4f90ad615a835de074a9dd91e5c76ce413551d82aa9c5

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
128KB

MD5
ac90301a0d341485fcd0e5d7a03775db

SHA1
f89949278e38c9912cdd8d583e149a074527a0a3

SHA256
1147472e787d81648d4363e6929955ee8eef677ac42a10eb7673071e05c43144

SHA512
3d7b76d29e7cd189db409bdfecd2da04f902ffd69c086ccf732bc53d5525ac2016ef46f14650ba59b4423e5180a4b83b5a4ae738d18a99a7793f536cc38cd894

Download Submit
C:\Windows\SysWOW64\Glpdjpbj.exe

Filesize
324KB

MD5
3e834594edeffda89ac48233df1be754

SHA1
72ded38dbaf973751e8267c7b9e2feb4139a6158

SHA256
f16c7d0a749dd7f1fe2d2f8c7caa88ba7485a569e9b09b7f33c6c0579e617b17

SHA512
1f8523acc28776266c8d726e46da2b1b16ed8c0d0cb32314db36c8aed86e53ab5e07a25168409d38a82ced4fe8dfbaad5d35f4789a8d770a4242df5a2105a3d7

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
324KB

MD5
49e62c133cea8383a215e16f76629519

SHA1
5feb6feeeaf73877f3b8f043e1d794a58b714170

SHA256
88d7c56dbd1e4b3170c15f07790d2dcb2f3af733ef5a1a9c97301bf4640faf16

SHA512
3d64ce8ed93b73e5eec75f842296dfb8a2deba7c8d05baf1c2c71d57e1fef857a280adaaccf34c351b40a51d885f0b41ee3af62e3a2fe96b51140a52bbadaa80

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
324KB

MD5
66a6b08c4638c25e4df1b700a2ab79f5

SHA1
c6acea3d5f07c0156c011d1d65c66c2343cc544c

SHA256
c3c70bfcaf1d132356bce827be969aed13bcc6d53750dc3ec10f0a30d6513fb8

SHA512
3227edcabb6c6f1cb3ef29811dcc1ca7e8a1ddd93d8364339d5a7425a0426d5b9643c9bb788e5d1512e8047a8d1ccb78cdd8d03d1d0ca6dc4d772e45fb3d8fc0

Download Submit
C:\Windows\SysWOW64\Imiehfao.exe

Filesize
324KB

MD5
9db49ded6673c46b55ea0d5b02a9e350

SHA1
6b07bc69deec4fa26828759d6b2a79159cdbccb3

SHA256
bbc966722825575b8c6f1fdd31ceb43fb829237471921efe1f89ade1fc5dbf48

SHA512
094ad40979f5c3424dd61a9a709d3830a5840a14073e7a8152e1339691715dc26aece9297168a27d9a9fa80428b835aa924dc8c8d15c38af10605f960a3445ea

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
324KB

MD5
9aa0011f84155a682e829c9860b56543

SHA1
00d99e0a981b09a3f140dc53b1921de4fd5b174e

SHA256
685e6fe3ed74c5eeaeaf6c4f9777eefebe296b4a36603e4d47c05a672b04b4f2

SHA512
885671f593451dc274a1c42b76f35245fb945a14888b21adab7d5e5394d65688e975db681d1f998c572f8196c8887aace5528d602b5c89f2288deb3bb611d299

Download Submit
C:\Windows\SysWOW64\Kbbhka32.exe

Filesize
324KB

MD5
e8d2fbe33d381674a8ad7cb6a9f582cb

SHA1
bb215b0c60e990784f90443dd0af8e4aac6ac480

SHA256
6a01c49e51871bbc2594378e247e2c9f162b1d0dd5b2b0f1f34732decb81788e

SHA512
60627b6dbd072536fdd6e0e73d9986b28e920295c2b1f9ad777066e1ce3aefe443643d0a85b67b031d8bf2d5527def6323ff270186ddfed67a0afa47a47d3a3d

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
324KB

MD5
f7163ababad02aeef9ebe58a16d92d1d

SHA1
795c42b8f5ddea0cf80c9683620be0b56f82ac0a

SHA256
1d2a887829fcc59608824a1719637e8768e4d377f0d5f95e6e967f94d1aa0ac4

SHA512
dc0426c224c0ad61964e9694fe2b301cf517ca1d4226d84467eb192a656310bd9d99393e7a04d0fed4d538d2f4a4d95938fa2b731c21051acea14ecd39bb3498

Download Submit
C:\Windows\SysWOW64\Kilphk32.exe

Filesize
324KB

MD5
ca938d202297f521311f5d92e8bed103

SHA1
fcc554f49da0716759863eb30ed1aea0c268fce2

SHA256
60b77ca967a7e7ba2f767c5b5599684731680e8e210724957b10fa01492fafd5

SHA512
1e2f7d7a2ddb37436664d3ab0535114486c0200495043c1aba85b5e3754a706fed57e3697dc52653f6502157f41c3fa25440e4adee7334b1db7cf24b8144fd97

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
324KB

MD5
1c26a6b2a2eec369f0433de1c404618d

SHA1
f9d9962e219e6a939a097e5d1194fee1d187b955

SHA256
d5219407081edf61fc9708b6eda8725269d08a13936c98806c0b57e00adf90be

SHA512
19ff3bf797e078f5b438dfba00a3bd5a3362d41106cf34094ec38803fd00727172cb20ae483bd0052868ed923fd28bb5d4c847b00e2a48ca84ba8ef8aff9adb7

Download Submit
C:\Windows\SysWOW64\Maiccajf.exe

Filesize
324KB

MD5
286fcf4063f30dad20d819e591c9c92f

SHA1
cf938ba9e792adbd5ea6afd1e6563167cfe35628

SHA256
1f9e4655fcfbaf6576102e85795b39103c06a977b6a0a4c0090c920cb8c65e41

SHA512
f0ec65c0f9193b6e8c9732f812798a6b44e61a91cda76e87231749bac595c34e4f2dd11a640b8c20cd427e6067785c801824ae45db8222f3b69392daf1eec84c

Download Submit
C:\Windows\SysWOW64\Maiccajf.exe

Filesize
324KB

MD5
286fcf4063f30dad20d819e591c9c92f

SHA1
cf938ba9e792adbd5ea6afd1e6563167cfe35628

SHA256
1f9e4655fcfbaf6576102e85795b39103c06a977b6a0a4c0090c920cb8c65e41

SHA512
f0ec65c0f9193b6e8c9732f812798a6b44e61a91cda76e87231749bac595c34e4f2dd11a640b8c20cd427e6067785c801824ae45db8222f3b69392daf1eec84c

Download Submit
C:\Windows\SysWOW64\Mcjmel32.exe

Filesize
324KB

MD5
d380af12156b2223d1c449f9a582b487

SHA1
9673472c598c8281d573ee804bac29ff1fd4f98b

SHA256
5886e74ee45e4c2d71734266beb9e543b884db451db766ad0dcd1056606d7836

SHA512
f3edde55d55f5f38aa5ae69f149243cf82dd06e7911ab80d55c336a022712a0f73222836a0ef9765c1ea7727017af71d111e758435cd4b9d40fcf1e4f3be3c34

Download Submit
C:\Windows\SysWOW64\Mcjmel32.exe

Filesize
324KB

MD5
d380af12156b2223d1c449f9a582b487

SHA1
9673472c598c8281d573ee804bac29ff1fd4f98b

SHA256
5886e74ee45e4c2d71734266beb9e543b884db451db766ad0dcd1056606d7836

SHA512
f3edde55d55f5f38aa5ae69f149243cf82dd06e7911ab80d55c336a022712a0f73222836a0ef9765c1ea7727017af71d111e758435cd4b9d40fcf1e4f3be3c34

Download Submit
C:\Windows\SysWOW64\Mdodbf32.exe

Filesize
324KB

MD5
ffc9905bc645d0b0075d21d1f8e124c1

SHA1
4db88a0f21c6b22f856bc9ba6dec7b41adff4abe

SHA256
cce17865b4ecb6b71ce6ed6bb2dbc9cd971045be606d53e757b8681971eba82c

SHA512
2be75cd0ccacd672de8bcc5da0bcf29d9998279fab70863ebb308244bca5cd6d0030a8eb1d0e15a40a5a067fc58d1a9ea519bc557884573e25b865a8cae5e1da

Download Submit
C:\Windows\SysWOW64\Mjdebfnd.exe

Filesize
324KB

MD5
98c07cfea85b18eed17e686963f47ebc

SHA1
e7a1f5734482ff291bbf04d563e3f31638bf21f1

SHA256
01e0aff7f42fbd844c3b30c5cbedc0d95e8d8e41f3fd77e720415deb9b62f741

SHA512
887094d15361b59c3aee28e5c36643c4a31fe78a6ee5360def05ce9daf287116020aebacef4cff54d0666781ed33f13ff7d0d7bb929c00820586252ce840b535

Download Submit
C:\Windows\SysWOW64\Mjdebfnd.exe

Filesize
324KB

MD5
98c07cfea85b18eed17e686963f47ebc

SHA1
e7a1f5734482ff291bbf04d563e3f31638bf21f1

SHA256
01e0aff7f42fbd844c3b30c5cbedc0d95e8d8e41f3fd77e720415deb9b62f741

SHA512
887094d15361b59c3aee28e5c36643c4a31fe78a6ee5360def05ce9daf287116020aebacef4cff54d0666781ed33f13ff7d0d7bb929c00820586252ce840b535

Download Submit
C:\Windows\SysWOW64\Mkmkkjko.exe

Filesize
324KB

MD5
c98b64994117be4bf8f99d0145b59bba

SHA1
b5f17b427aa8af01572139023a2b75393f4ffc00

SHA256
8ceb4b6302a55b6524ba548c575140fa121e2c608bac1283722badbe4223311c

SHA512
4d253a436dd8c4858bfa626dd6386317b33b29bcfc1537157c6cd4612ab2e8a04c8947f12926a910276800bcd18b9af92da6195bf59ec613eb76f75834660979

Download Submit
C:\Windows\SysWOW64\Mkmkkjko.exe

Filesize
324KB

MD5
c98b64994117be4bf8f99d0145b59bba

SHA1
b5f17b427aa8af01572139023a2b75393f4ffc00

SHA256
8ceb4b6302a55b6524ba548c575140fa121e2c608bac1283722badbe4223311c

SHA512
4d253a436dd8c4858bfa626dd6386317b33b29bcfc1537157c6cd4612ab2e8a04c8947f12926a910276800bcd18b9af92da6195bf59ec613eb76f75834660979

Download Submit
C:\Windows\SysWOW64\Nccokk32.exe

Filesize
324KB

MD5
d809c378ac6b6e5f90f197741681f607

SHA1
5a231390ee82c9ad861e8064307b53194efdb557

SHA256
1ce13ffa4a461929d53cb0440cc415c2d7bab849f381f7c43d6d17c94f643c0c

SHA512
ec764c76ab971dea59d8e3817a5da26c306be57dcbcc9bc8e9678f7495b74c9913da23658fb72fb2e2e22d0027fa2037159c16bc8c79c526fac23fca96c84b08

Download Submit
C:\Windows\SysWOW64\Nccokk32.exe

Filesize
324KB

MD5
d809c378ac6b6e5f90f197741681f607

SHA1
5a231390ee82c9ad861e8064307b53194efdb557

SHA256
1ce13ffa4a461929d53cb0440cc415c2d7bab849f381f7c43d6d17c94f643c0c

SHA512
ec764c76ab971dea59d8e3817a5da26c306be57dcbcc9bc8e9678f7495b74c9913da23658fb72fb2e2e22d0027fa2037159c16bc8c79c526fac23fca96c84b08

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
324KB

MD5
7624800d24ec69fb432ff9011ab90c6b

SHA1
ae2e2ebac8719d9757566d2927e6f6bbccb89f4e

SHA256
9d728f62e593cc3306c3970b09cd483e25aa3ea3c53be2c627368fc0e9645a08

SHA512
79ac0864eb2cc638fb67b1c319a15718ebad98b34eda6f160b3ad799b84d2c469bdaff1af93bda660995ec8fcf3b68fbfb2b71058784ee0704fe3295517b7cd7

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
324KB

MD5
7624800d24ec69fb432ff9011ab90c6b

SHA1
ae2e2ebac8719d9757566d2927e6f6bbccb89f4e

SHA256
9d728f62e593cc3306c3970b09cd483e25aa3ea3c53be2c627368fc0e9645a08

SHA512
79ac0864eb2cc638fb67b1c319a15718ebad98b34eda6f160b3ad799b84d2c469bdaff1af93bda660995ec8fcf3b68fbfb2b71058784ee0704fe3295517b7cd7

Download Submit
C:\Windows\SysWOW64\Nghekkmn.exe

Filesize
324KB

MD5
6b37c619e98e8ef3804bfa7d49d6b6b7

SHA1
b73d4d63411bdfe8e3a918d4b223b11ceb93cf87

SHA256
aa83790802ceab867113b8f0b492f1ece09e0e63ada9a22620334e4b5f8cc092

SHA512
eb024f323049e7675a5b0efae136cb6f3ca695e7af56bce6fb943aeb4864f288d4f0c135a768ae3e45cc2189af2971c27114dc49d30f68701370da5037d12460

Download Submit
C:\Windows\SysWOW64\Nghekkmn.exe

Filesize
324KB

MD5
02dd721a5dc0ebe2cc1b82a1ecfb1f21

SHA1
6a7954d2aacdd0e7309f7399e0109b77e8309913

SHA256
c6078c8de931bfa8a63b8a8551514550afadad7e6dca4ecdf562a181392d5f36

SHA512
afedceef4909c1de48c481dc0d17c1e5f56d42239e7b82c47d425476da5dae5bee3bbb56242d1d0d72e14af32608058edd2bd9c5ff4d62d18f040819dd845543

Download Submit
C:\Windows\SysWOW64\Nghekkmn.exe

Filesize
324KB

MD5
02dd721a5dc0ebe2cc1b82a1ecfb1f21

SHA1
6a7954d2aacdd0e7309f7399e0109b77e8309913

SHA256
c6078c8de931bfa8a63b8a8551514550afadad7e6dca4ecdf562a181392d5f36

SHA512
afedceef4909c1de48c481dc0d17c1e5f56d42239e7b82c47d425476da5dae5bee3bbb56242d1d0d72e14af32608058edd2bd9c5ff4d62d18f040819dd845543

Download Submit
C:\Windows\SysWOW64\Nhbciqln.exe

Filesize
324KB

MD5
171e293b2a5c37c6794dc79e6528c2f8

SHA1
d2c51fe951163bab0317ff408342b7697b8da59c

SHA256
3a8c2384186e5e8b4c5de4343e261f6e038950fb2a565d07720cc82aab72ea73

SHA512
2c9e42750a6f900bda7c9bd76a6132fdfd331a83b4e3191faeec0af7e158723780a34cdc1ce3d0a242681e376a4a59e921f573eb90251d4c388a8dc3c9ccf589

Download Submit
C:\Windows\SysWOW64\Nndjndbh.exe

Filesize
324KB

MD5
e79d16f1a83f997fae2dfc54c15eb683

SHA1
4221bf3d87d3dc0ca873984fde43dcb86f814c84

SHA256
8a45dd7323fda3a4eccf27d541991acd612b3bbfb433756c673277d8d6c0782f

SHA512
ef41730cae1d8b6ba2f156fa6f1382dfb7c86adb162f5eebea486ed227365d3dccbe3987e811850899b859936b6002bbc56d93675f77e049103d311a3c9303a8

Download Submit
C:\Windows\SysWOW64\Nndjndbh.exe

Filesize
324KB

MD5
e79d16f1a83f997fae2dfc54c15eb683

SHA1
4221bf3d87d3dc0ca873984fde43dcb86f814c84

SHA256
8a45dd7323fda3a4eccf27d541991acd612b3bbfb433756c673277d8d6c0782f

SHA512
ef41730cae1d8b6ba2f156fa6f1382dfb7c86adb162f5eebea486ed227365d3dccbe3987e811850899b859936b6002bbc56d93675f77e049103d311a3c9303a8

Download Submit
C:\Windows\SysWOW64\Nnfgcd32.exe

Filesize
324KB

MD5
e51dfb77667c53b3181edd58d646d64a

SHA1
aefced84e8a907dbdd67c5de4e4db695a50f15a1

SHA256
6d7b0aedb8116f2fb9b8dcf7024009946fd72d9e1e515a152c1735cee1b1bbe2

SHA512
94368a9d0751678960d7b41b12ad0e8b735c9e3e2731bb15a0978c6202e041e90b1eea914b61b832a0d8c0d2370cdbf9cb6115a5eac3d8cb139126a9d21a499b

Download Submit
C:\Windows\SysWOW64\Nnfgcd32.exe

Filesize
324KB

MD5
e51dfb77667c53b3181edd58d646d64a

SHA1
aefced84e8a907dbdd67c5de4e4db695a50f15a1

SHA256
6d7b0aedb8116f2fb9b8dcf7024009946fd72d9e1e515a152c1735cee1b1bbe2

SHA512
94368a9d0751678960d7b41b12ad0e8b735c9e3e2731bb15a0978c6202e041e90b1eea914b61b832a0d8c0d2370cdbf9cb6115a5eac3d8cb139126a9d21a499b

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
324KB

MD5
e772dae8167d7445d9d7f94d4aaecac2

SHA1
8da42259f4847120a9638fd45f05121717662063

SHA256
a1b010c280a73aeabd8ee0cc7031571d6820420059fb2f08eb26e5bd8509d5fa

SHA512
1540489c2a8d240898776a6b21d4e8e1a1ece60f599a2ebb46e57c7ed61017bdd27c2cb7c2130fd2c7f3e394169785d3de18f13d17208eaf0c1f8a503bc9631f

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
324KB

MD5
e772dae8167d7445d9d7f94d4aaecac2

SHA1
8da42259f4847120a9638fd45f05121717662063

SHA256
a1b010c280a73aeabd8ee0cc7031571d6820420059fb2f08eb26e5bd8509d5fa

SHA512
1540489c2a8d240898776a6b21d4e8e1a1ece60f599a2ebb46e57c7ed61017bdd27c2cb7c2130fd2c7f3e394169785d3de18f13d17208eaf0c1f8a503bc9631f

Download Submit
C:\Windows\SysWOW64\Oalipoiq.exe

Filesize
324KB

MD5
eb185f85789f03fe86aa937ed4984dd2

SHA1
4430a73eeb54366a464d7aa01a214c12aafd38ef

SHA256
b66fb8bca2309287e85ec5c5159127c9055ef2fff9cf9ebf57cf39bafa845c80

SHA512
85112fb91ac9542a52893554a618c28c04b1dc09fa6e00b460f158de4bd70058aaa18213178e0525c474936d555aae3e77554ee197a8918b65364df9dad57402

Download Submit
C:\Windows\SysWOW64\Oalipoiq.exe

Filesize
324KB

MD5
eb185f85789f03fe86aa937ed4984dd2

SHA1
4430a73eeb54366a464d7aa01a214c12aafd38ef

SHA256
b66fb8bca2309287e85ec5c5159127c9055ef2fff9cf9ebf57cf39bafa845c80

SHA512
85112fb91ac9542a52893554a618c28c04b1dc09fa6e00b460f158de4bd70058aaa18213178e0525c474936d555aae3e77554ee197a8918b65364df9dad57402

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
256KB

MD5
eea87d032b685918a5f6e9a8bfe43449

SHA1
66bbf4cdc5a7b41cd3a27a613af4a54c70dac73f

SHA256
27acfd078a1e007d1d5e6206629b0546e25a5b81a8ae92d6af4898f8b87cfd87

SHA512
c90df39e1f6d3186d07f49d93bc03a84e37c71a6851a86bebb619765d850a0e819c06b5dc38b80cc14e630830e14813d8bef2e11090299b1328b8d22878f103b

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
324KB

MD5
049e957a7fc05b14b3cc5929ca00e118

SHA1
15d7d3ea307e54c7fb055e69a56436529ff20d8a

SHA256
008e57c835013800884c076bfc7b1131635b0b2d103665e7af0ec53c23bedbd1

SHA512
8aad0b6ecf7cc4a132c126cf47f031534b06d60cb2cf12ffc2d1229fc108f6c62401098ab5de25b1f293a422e032b87ad006665ed8e56baca1af438cebc0c050

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
324KB

MD5
049e957a7fc05b14b3cc5929ca00e118

SHA1
15d7d3ea307e54c7fb055e69a56436529ff20d8a

SHA256
008e57c835013800884c076bfc7b1131635b0b2d103665e7af0ec53c23bedbd1

SHA512
8aad0b6ecf7cc4a132c126cf47f031534b06d60cb2cf12ffc2d1229fc108f6c62401098ab5de25b1f293a422e032b87ad006665ed8e56baca1af438cebc0c050

Download Submit
C:\Windows\SysWOW64\Ohcegi32.exe

Filesize
324KB

MD5
072476fa4ee2b9c09a6578ce70267012

SHA1
7938881b9a954bef86ba3557c8aa735bdfae0e96

SHA256
708ea9516ee4bbba5e5efa157393b3bdb4ca79cafb7f6ca66993db318012106e

SHA512
29c0dae92429b89fd856297492a3393ce541e06ed1673252ff94d130f5073646bd3a545ce13c8d8bc4d655c1b190195b3587c551d88f7241e59df67a18d305e6

Download Submit
C:\Windows\SysWOW64\Ohcegi32.exe

Filesize
324KB

MD5
072476fa4ee2b9c09a6578ce70267012

SHA1
7938881b9a954bef86ba3557c8aa735bdfae0e96

SHA256
708ea9516ee4bbba5e5efa157393b3bdb4ca79cafb7f6ca66993db318012106e

SHA512
29c0dae92429b89fd856297492a3393ce541e06ed1673252ff94d130f5073646bd3a545ce13c8d8bc4d655c1b190195b3587c551d88f7241e59df67a18d305e6

Download Submit
C:\Windows\SysWOW64\Ohhnbhok.exe

Filesize
324KB

MD5
4cd4dc20fb077588ec9129a734bd6e25

SHA1
8e6451c20e09cb8fcc14397e7a6a01f905fd71e1

SHA256
0f4edea5ae19014c10c6a610f50a2984aa106fc89e0c29fefaae9c9edfc30fae

SHA512
19c95b18a04e97d0157f9018cd673486b27fa259b680e07eec93b5dfb0b1f33e4f495dd4c5f49e2192f287c636d7c0eb98813039174a1a402607c82987c9fe39

Download Submit
C:\Windows\SysWOW64\Ohhnbhok.exe

Filesize
324KB

MD5
4cd4dc20fb077588ec9129a734bd6e25

SHA1
8e6451c20e09cb8fcc14397e7a6a01f905fd71e1

SHA256
0f4edea5ae19014c10c6a610f50a2984aa106fc89e0c29fefaae9c9edfc30fae

SHA512
19c95b18a04e97d0157f9018cd673486b27fa259b680e07eec93b5dfb0b1f33e4f495dd4c5f49e2192f287c636d7c0eb98813039174a1a402607c82987c9fe39

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
324KB

MD5
6bbdb0e9a71eb9405762bd1f87a6c6e9

SHA1
415dd391b48b244a55c8621cb462ef12f82b8d86

SHA256
6e5cabe02d3e5461eb3d12557643e8c543d3ed76cc1a78294c6916fda4ca4d2f

SHA512
8d176950800b28cedb0c9135003089212191b8562ad4786b117973642098555b032db1321a3cba8fcf8da924d43387d9802351b7f576d78f67577ad6d0499409

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
324KB

MD5
6bbdb0e9a71eb9405762bd1f87a6c6e9

SHA1
415dd391b48b244a55c8621cb462ef12f82b8d86

SHA256
6e5cabe02d3e5461eb3d12557643e8c543d3ed76cc1a78294c6916fda4ca4d2f

SHA512
8d176950800b28cedb0c9135003089212191b8562ad4786b117973642098555b032db1321a3cba8fcf8da924d43387d9802351b7f576d78f67577ad6d0499409

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
324KB

MD5
c5ce84515090f80630ce894621304c6b

SHA1
66535947a16933468fdfaf47d3fe971cd8d22603

SHA256
691c7c42459d06683fdb43e03ff183f695fb6ec1f092e2c53dec4e763d2c6ddb

SHA512
12fcb47b2b64391b4065c266c49cd6f62a6ca95ce2e9189a9a6c82ddc75d0db0c79fc1e77f42ad4c55eb9e362be7def39b6f0afafbbe5bf6637cb79e5ae41a0a

Download Submit
C:\Windows\SysWOW64\Paelfmaf.exe

Filesize
324KB

MD5
3f30a2640e2706a444c3fc94fb4c4cf9

SHA1
c237e5e52d57972e021837307db8e98e8f7ed2f7

SHA256
f49eadd2ae0966da69f412825a0572508638af54f9046753bfd981bf1c4e9123

SHA512
d3aebda6975b085e5ee8f7bebdb44a120432fcf4f54dc297039ca5f6f9b5c3b0f04df07f8848b909ff71a1beee658c36313b549a47584fa129fc4d13128afe23

Download Submit
C:\Windows\SysWOW64\Paelfmaf.exe

Filesize
324KB

MD5
3f30a2640e2706a444c3fc94fb4c4cf9

SHA1
c237e5e52d57972e021837307db8e98e8f7ed2f7

SHA256
f49eadd2ae0966da69f412825a0572508638af54f9046753bfd981bf1c4e9123

SHA512
d3aebda6975b085e5ee8f7bebdb44a120432fcf4f54dc297039ca5f6f9b5c3b0f04df07f8848b909ff71a1beee658c36313b549a47584fa129fc4d13128afe23

Download Submit
C:\Windows\SysWOW64\Pajeam32.exe

Filesize
324KB

MD5
ee260d36fb32dc1318ea6499546b5197

SHA1
e4642300260ea72611a312a35b6b159c57eda7b6

SHA256
7c1177c465a73d6b18bf4fe43fd01f1b7dae30dfc4d24122220f3fe577a91608

SHA512
2f0238a6e12cd3b14f5e735d84c1561fb8704d7b63d468c3aa3c01e61982765696ed29919654004ea3e7f324d8adf2650d57d6e2e0d2db8905fff1affd4b7ca4

Download Submit
C:\Windows\SysWOW64\Pajeam32.exe

Filesize
324KB

MD5
ee260d36fb32dc1318ea6499546b5197

SHA1
e4642300260ea72611a312a35b6b159c57eda7b6

SHA256
7c1177c465a73d6b18bf4fe43fd01f1b7dae30dfc4d24122220f3fe577a91608

SHA512
2f0238a6e12cd3b14f5e735d84c1561fb8704d7b63d468c3aa3c01e61982765696ed29919654004ea3e7f324d8adf2650d57d6e2e0d2db8905fff1affd4b7ca4

Download Submit
C:\Windows\SysWOW64\Phaahggp.exe

Filesize
324KB

MD5
6fe3edcc14e09d3e548bc4646c60693b

SHA1
ee11b8125f10c884b09e0df932915f7dbb4288e5

SHA256
7481a81296a509ec843f01758dfc9b0f1c9519928d65be5584f3378cfa6b7b17

SHA512
3af7dac89db8f18365e10be8d637f581d8a261111f165662b717adf3b94157b43ba4da14495cd8d54aa0eb8567a56f2ce3af283bfd17ff7d1776b420bb9e4023

Download Submit
C:\Windows\SysWOW64\Phaahggp.exe

Filesize
324KB

MD5
6fe3edcc14e09d3e548bc4646c60693b

SHA1
ee11b8125f10c884b09e0df932915f7dbb4288e5

SHA256
7481a81296a509ec843f01758dfc9b0f1c9519928d65be5584f3378cfa6b7b17

SHA512
3af7dac89db8f18365e10be8d637f581d8a261111f165662b717adf3b94157b43ba4da14495cd8d54aa0eb8567a56f2ce3af283bfd17ff7d1776b420bb9e4023

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
324KB

MD5
fae27b09863fb774da311a18256adb1f

SHA1
97e90f25037f44c9542b591fa177c465b46a0517

SHA256
5694e5fcea4bd76e681ea11ad6c9e7a660da7ff6386a4a8a98a497aa26327d23

SHA512
f342cf6ecae7fc568cb66dab2790c03e29da83ca9a98d1b2e26678bb9a4c969c51d3c574e9c7db30b1935738182776f6990d5c91030fa60d571cc8b266318e59

Download Submit
C:\Windows\SysWOW64\Pkgcea32.exe

Filesize
324KB

MD5
35f4b7c9cc33f38167cba8022a7599dd

SHA1
de27886501b4e8b5e0090fe2f226fd567b266d75

SHA256
e4dccb4424de2e46aeb0e73a74ad8562d21b5f31d39ebe0b6ce440d1a149460e

SHA512
2616e3f21452bd764a3e49be97d51fde20fa00222d6a3ee4b28d72e4c19f4a5c599dc7fdcb0010dfc35aee49f11a93a723ad67a62c4e81ad01f82ee21dbf1c87

Download Submit
C:\Windows\SysWOW64\Pkgcea32.exe

Filesize
324KB

MD5
35f4b7c9cc33f38167cba8022a7599dd

SHA1
de27886501b4e8b5e0090fe2f226fd567b266d75

SHA256
e4dccb4424de2e46aeb0e73a74ad8562d21b5f31d39ebe0b6ce440d1a149460e

SHA512
2616e3f21452bd764a3e49be97d51fde20fa00222d6a3ee4b28d72e4c19f4a5c599dc7fdcb0010dfc35aee49f11a93a723ad67a62c4e81ad01f82ee21dbf1c87

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
324KB

MD5
1b36828a06861ce2f32d68220f23d5a7

SHA1
7f4f53f49027ff32423a1185ed6f13e61888bf79

SHA256
f69d0482c1f52b355f86459ede7cdf344e04eeb95d13b8f53faeb5e3bcfb6e8f

SHA512
1cb34d1bcbc68daf7986e8e4cbee1373d2f659f4b43f3783d80e8c3c8e64fab3ea3a54ff755ae3e5bdf5886b28c5887988cfd9e2c0aa0d7478ba54e33c5d2eb2

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
324KB

MD5
1b36828a06861ce2f32d68220f23d5a7

SHA1
7f4f53f49027ff32423a1185ed6f13e61888bf79

SHA256
f69d0482c1f52b355f86459ede7cdf344e04eeb95d13b8f53faeb5e3bcfb6e8f

SHA512
1cb34d1bcbc68daf7986e8e4cbee1373d2f659f4b43f3783d80e8c3c8e64fab3ea3a54ff755ae3e5bdf5886b28c5887988cfd9e2c0aa0d7478ba54e33c5d2eb2

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
324KB

MD5
168821d51a590ca3afab29b1ff3fb056

SHA1
38f511a259df60c13a746dd57eb0ead814c72cc5

SHA256
24c6cc4ffbd1fdb6c472dc92c31a635162a62ae0044a223710beffeb1e0e5033

SHA512
b07a8bf2f4298a66064e0cbc5812fc633465eee62b4fbb66aa20db0f355082984b8b9dd9b0ca2f276c7a5bac314e3e31b744b189f9dba8bf6dbd2155938bd290

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
324KB

MD5
168821d51a590ca3afab29b1ff3fb056

SHA1
38f511a259df60c13a746dd57eb0ead814c72cc5

SHA256
24c6cc4ffbd1fdb6c472dc92c31a635162a62ae0044a223710beffeb1e0e5033

SHA512
b07a8bf2f4298a66064e0cbc5812fc633465eee62b4fbb66aa20db0f355082984b8b9dd9b0ca2f276c7a5bac314e3e31b744b189f9dba8bf6dbd2155938bd290

Download Submit
C:\Windows\SysWOW64\Plpjoe32.exe

Filesize
324KB

MD5
2efd6172e46a7c8913b0e074af2a8caa

SHA1
de34acde168a85ceca751c33feae912a0813b5b2

SHA256
07dd60b00315309ccf0d42b32d9629d105c73d1af5771f1ac80b1ea76cdda6ef

SHA512
46bc4030a99291e0d6d2accbcb6cd7575933eb8420f31c4f19f5fd5bcd11beb0d40707c57cbd95cc5acd4518dd1457522bed8a659ee7cd49a84e852a28294aed

Download Submit
C:\Windows\SysWOW64\Plpjoe32.exe

Filesize
324KB

MD5
2efd6172e46a7c8913b0e074af2a8caa

SHA1
de34acde168a85ceca751c33feae912a0813b5b2

SHA256
07dd60b00315309ccf0d42b32d9629d105c73d1af5771f1ac80b1ea76cdda6ef

SHA512
46bc4030a99291e0d6d2accbcb6cd7575933eb8420f31c4f19f5fd5bcd11beb0d40707c57cbd95cc5acd4518dd1457522bed8a659ee7cd49a84e852a28294aed

Download Submit
C:\Windows\SysWOW64\Pmaffnce.exe

Filesize
324KB

MD5
1f7e7a80115dc4047e3db13694d0c6ba

SHA1
14efa1bc018bcfe2550bfbb58a367c6a862cc83a

SHA256
dc67a1501e94c4f34e03e7f8252fad12c2849497a2df0bbe1f051f387ffe61fd

SHA512
35ca8510ba6267a8e16970153eb2dab2990ad2c33ba5281b9013a77560f7f7080b45b1f8e570a6ed1b54bebfee8e376a4ffcf95833526b57b9a65d488b79589b

Download Submit
C:\Windows\SysWOW64\Pmaffnce.exe

Filesize
324KB

MD5
1f7e7a80115dc4047e3db13694d0c6ba

SHA1
14efa1bc018bcfe2550bfbb58a367c6a862cc83a

SHA256
dc67a1501e94c4f34e03e7f8252fad12c2849497a2df0bbe1f051f387ffe61fd

SHA512
35ca8510ba6267a8e16970153eb2dab2990ad2c33ba5281b9013a77560f7f7080b45b1f8e570a6ed1b54bebfee8e376a4ffcf95833526b57b9a65d488b79589b

Download Submit
C:\Windows\SysWOW64\Pmcclm32.exe

Filesize
324KB

MD5
f118a450d90adb9a4f083b07d68088d8

SHA1
24713afddde8f35171c6bf0e3b65db8aba605557

SHA256
6d7a8067d7b7969aacb21bd84d149eb371b6fda201b5b45437c27fc759d67720

SHA512
e7da718731fcfee551dd894433c4af2222614d321517f696f2f34b1f5b1817a79c1c3a204acaa3387f9acbc19615ba6171cd9cb90ce91c5905b9d2bb97b8b345

Download Submit
C:\Windows\SysWOW64\Pmcclm32.exe

Filesize
324KB

MD5
f118a450d90adb9a4f083b07d68088d8

SHA1
24713afddde8f35171c6bf0e3b65db8aba605557

SHA256
6d7a8067d7b7969aacb21bd84d149eb371b6fda201b5b45437c27fc759d67720

SHA512
e7da718731fcfee551dd894433c4af2222614d321517f696f2f34b1f5b1817a79c1c3a204acaa3387f9acbc19615ba6171cd9cb90ce91c5905b9d2bb97b8b345

Download Submit
C:\Windows\SysWOW64\Qaalblgi.exe

Filesize
324KB

MD5
4d8873c84b26f07e7923dabb37421cf0

SHA1
0826e1117c9e968cc738a55630143a56455bfa16

SHA256
f660bfc20b65ed930eda7d2cf4e232efe58f832a7e80b0d6d95fedfad8ac7771

SHA512
0cd723a0b03f2ec4b26487522690c73d9478d7c4993174296bd64b84e9c0846c1c4b00c040efe8c2426cf920054810dbce11871987779db4559812e24683d74b

Download Submit
C:\Windows\SysWOW64\Qaalblgi.exe

Filesize
324KB

MD5
4d8873c84b26f07e7923dabb37421cf0

SHA1
0826e1117c9e968cc738a55630143a56455bfa16

SHA256
f660bfc20b65ed930eda7d2cf4e232efe58f832a7e80b0d6d95fedfad8ac7771

SHA512
0cd723a0b03f2ec4b26487522690c73d9478d7c4993174296bd64b84e9c0846c1c4b00c040efe8c2426cf920054810dbce11871987779db4559812e24683d74b

Download Submit
C:\Windows\SysWOW64\Qachgk32.exe

Filesize
324KB

MD5
b488bf304026701445d6431a4d8a1fdf

SHA1
bf64f79a8620fcf516eece88dd4ffedcfeee6420

SHA256
a49e595451f60083edfe9891fc35ec1e6fabb8fe6e0f1c7ba36e20ee1716129f

SHA512
b4db41092d8db8f6d3a0fe3c2318b22ff4ac66e609e608c8e8596ed9660443ec58c1bff00e00a28aa06f5be66d98c2e3dcdd326a0c7c2c1e9db53a0db2724768

Download Submit
C:\Windows\SysWOW64\Qachgk32.exe

Filesize
324KB

MD5
b488bf304026701445d6431a4d8a1fdf

SHA1
bf64f79a8620fcf516eece88dd4ffedcfeee6420

SHA256
a49e595451f60083edfe9891fc35ec1e6fabb8fe6e0f1c7ba36e20ee1716129f

SHA512
b4db41092d8db8f6d3a0fe3c2318b22ff4ac66e609e608c8e8596ed9660443ec58c1bff00e00a28aa06f5be66d98c2e3dcdd326a0c7c2c1e9db53a0db2724768

Download Submit
C:\Windows\SysWOW64\Qklmpalf.exe

Filesize
324KB

MD5
15072af97dedef967a9111254eb920ac

SHA1
0961494853008159fb7111de21bd714709a2032a

SHA256
9826131731d4284d8be72dd0465d88def63efd7486f07b61a553609bbd713db0

SHA512
2f795d5a6cf806efaafbefa9e5a0d633f2b33c699ae64542addadba8f72e0c42a01c5fe514943641bbd36236f1aff8181b7dc1499c891ce5899df4a7bd84f2d8

Download Submit
C:\Windows\SysWOW64\Qklmpalf.exe

Filesize
324KB

MD5
15072af97dedef967a9111254eb920ac

SHA1
0961494853008159fb7111de21bd714709a2032a

SHA256
9826131731d4284d8be72dd0465d88def63efd7486f07b61a553609bbd713db0

SHA512
2f795d5a6cf806efaafbefa9e5a0d633f2b33c699ae64542addadba8f72e0c42a01c5fe514943641bbd36236f1aff8181b7dc1499c891ce5899df4a7bd84f2d8

Download Submit
C:\Windows\SysWOW64\Qnopjfgi.exe

Filesize
324KB

MD5
e14d828bc8a9895a49c53715e97e5fcd

SHA1
2ea36e00ac77481870a0323990582978656e086c

SHA256
e56ac9d2c122a63d0263842cc78e5025644c2896950d5dcae9cb0d269a86f7a5

SHA512
c126f9e61b51a20f619f5643cc0edd6f08cce7d74e26428cc58ddef710585241e9df318944250bf073e7cf58a864ee3a13210f90e4c46936dc5e9b7c4febe59c

Download Submit
memory/60-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads