e02b4d7b5dc1aceac81d38c4b451bf41122ae49b482fc5e3d0de09ee016e5ae7

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9bcbdc1909353e9a36e302a9228551.exe
Size

387KB
MD5

fa9bcbdc1909353e9a36e302a9228551
SHA1

a1f2c4a787251c980d4e8be26b27a7627640a656
SHA256

e02b4d7b5dc1aceac81d38c4b451bf41122ae49b482fc5e3d0de09ee016e5ae7
SHA512

27a64fae0315b5e58512a75b5edd66cf769289250157cd229e2ad2b1765985cc7b7b8940f44390f610f3c528005b236e9e78879ee179544d8dfc001fa44d6d20
SSDEEP

6144:xoBx3zOEgHixuqjwszeXmpzKPJG9EeIMT:oaHiPjoPJG9EeIW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oocmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcclld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhecmcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcikejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihphkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joahqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffclcgfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbbffdlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgcfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqilgmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnbqnjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbfldf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhlpqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomifecf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pocfpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifleoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkchelci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcjiff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfokoelp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcalieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlleaeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemqih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjbhmad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibkpcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflnfcgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhoqeibl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bohibc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jklinohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifmmb32.exe

Executes dropped EXE 64 IoCs

pid	Process
4168	Ngpccdlj.exe
4584	Nlmllkja.exe
1952	Ncfdie32.exe
3160	Neeqea32.exe
1608	Npjebj32.exe
3208	Ncianepl.exe
1432	Nlaegk32.exe
3256	Nckndeni.exe
3860	Njefqo32.exe
2860	Olcbmj32.exe
1372	Ocnjidkf.exe
1844	Ojgbfocc.exe
1424	Oncofm32.exe
3392	Odmgcgbi.exe
1716	Ogkcpbam.exe
1096	Ojjolnaq.exe
3396	Opdghh32.exe
1836	Ofqpqo32.exe
828	Olkhmi32.exe
2516	Ocdqjceo.exe
4008	Ojoign32.exe
908	Oqhacgdh.exe
3084	Ocgmpccl.exe
400	Ojaelm32.exe
3996	Pmoahijl.exe
4944	Pcijeb32.exe
2332	Pjcbbmif.exe
1128	Pqmjog32.exe
1012	Pfjcgn32.exe
5100	Pmdkch32.exe
1816	Pdkcde32.exe
4464	Pgioqq32.exe
4748	Pjhlml32.exe
1044	Pgllfp32.exe
676	Pnfdcjkg.exe
4864	Pdpmpdbd.exe
5004	Pgnilpah.exe
1448	Qmkadgpo.exe
4000	Qfcfml32.exe
1804	Qqijje32.exe
3924	Qffbbldm.exe
1828	Ajkaii32.exe
900	Aadifclh.exe
3972	Agoabn32.exe
4736	Bmkjkd32.exe
3572	Bebblb32.exe
4688	Bfdodjhm.exe
1324	Bnkgeg32.exe
4416	Baicac32.exe
3680	Bgcknmop.exe
2016	Bmpcfdmg.exe
2972	Bfhhoi32.exe
1668	Banllbdn.exe
628	Bhhdil32.exe
2752	Belebq32.exe
2236	Cndikf32.exe
2212	Chmndlge.exe
4572	Caebma32.exe
4952	Cmqmma32.exe
3272	Foqkdp32.exe
1036	Gglpibgm.exe
1440	Gaadfkgc.exe
3104	Ggnlobej.exe
4484	Gdbmhf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Idebdcdo.exe	Ibffhhek.exe
File opened for modification	C:\Windows\SysWOW64\Bfbaonae.exe	Bohibc32.exe
File created	C:\Windows\SysWOW64\Adnipccc.dll	Gfmojenc.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Mjbogmdb.exe	Miaboe32.exe
File created	C:\Windows\SysWOW64\Jppadk32.dll	Objpoh32.exe
File opened for modification	C:\Windows\SysWOW64\Bebjdgmj.exe	Bohbhmfm.exe
File created	C:\Windows\SysWOW64\Gfhndpol.exe	Gpnfge32.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Ipihpkkd.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Mffjcopi.exe	Moobbb32.exe
File created	C:\Windows\SysWOW64\Ggnedlao.exe	Gaamlecg.exe
File opened for modification	C:\Windows\SysWOW64\Lghcocol.exe	Lejgch32.exe
File created	C:\Windows\SysWOW64\Ijqmhnko.exe	Injmcmej.exe
File created	C:\Windows\SysWOW64\Gmimai32.exe	Geaepk32.exe
File opened for modification	C:\Windows\SysWOW64\Nacmdf32.exe	Nihipdhl.exe
File opened for modification	C:\Windows\SysWOW64\Nbgcih32.exe	Nkqkhk32.exe
File created	C:\Windows\SysWOW64\Eeelnp32.exe	Eoideh32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Backedki.dll	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Ccqkigkp.exe	Cmfclm32.exe
File created	C:\Windows\SysWOW64\Jcigfeaf.dll	Mjbogmdb.exe
File created	C:\Windows\SysWOW64\Mociom32.dll	Ijqmhnko.exe
File opened for modification	C:\Windows\SysWOW64\Fmmmfj32.exe	Fefedmil.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Kolabf32.exe	Jblmgf32.exe
File created	C:\Windows\SysWOW64\Gddbcp32.exe	Gaefgd32.exe
File opened for modification	C:\Windows\SysWOW64\Hienlpel.exe	Hckeoeno.exe
File opened for modification	C:\Windows\SysWOW64\Lqkgbcff.exe	Ljaoeini.exe
File created	C:\Windows\SysWOW64\Ipgijcij.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Boflmdkk.exe	Blhpqhlh.exe
File opened for modification	C:\Windows\SysWOW64\Dnonkq32.exe	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Jmdjlcnk.dll	Fqikob32.exe
File created	C:\Windows\SysWOW64\Lmeffoid.dll	Nlleaeff.exe
File opened for modification	C:\Windows\SysWOW64\Dfjgaq32.exe	Dclkee32.exe
File created	C:\Windows\SysWOW64\Foqkdp32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nlcagc32.dll	Gdafnpqh.exe
File created	C:\Windows\SysWOW64\Nliaao32.exe	Nijeec32.exe
File created	C:\Windows\SysWOW64\Ljalni32.dll	Bbnkonbd.exe
File opened for modification	C:\Windows\SysWOW64\Jjlmclqa.exe	Jgnqgqan.exe
File opened for modification	C:\Windows\SysWOW64\Kflnfcgg.exe	Kpbfii32.exe
File created	C:\Windows\SysWOW64\Daediilg.exe	Dfoplpla.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Ehbnigjj.exe	Eqiibjlj.exe
File created	C:\Windows\SysWOW64\Nlleaeff.exe	Niniei32.exe
File created	C:\Windows\SysWOW64\Dpckjfgg.exe	Diicml32.exe
File created	C:\Windows\SysWOW64\Kilpmh32.exe	Kbmoen32.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Hghoeqmp.exe	Hakgmjoh.exe
File created	C:\Windows\SysWOW64\Oklmii32.dll	Keakgpko.exe
File opened for modification	C:\Windows\SysWOW64\Hnfjbdmk.exe	Hkgnfhnh.exe
File created	C:\Windows\SysWOW64\Comjoclk.dll	Jqhafffk.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Lpepbgbd.exe
File created	C:\Windows\SysWOW64\Dmjhenbq.dll	Knippe32.exe
File created	C:\Windows\SysWOW64\Bgpgng32.exe	Bqfoamfj.exe
File opened for modification	C:\Windows\SysWOW64\Fknbil32.exe	Fdcjlb32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkqfe32.exe	Domdjj32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Igcoqocb.exe	Idebdcdo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9484	8860	WerFault.exe	949

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moaogand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhmqdemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhlejcpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leadnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnijaa32.dll"	Ifleoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll"	Dkokcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpmlnjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpgng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Indmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdljpcg.dll"	Fdkpma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdjin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nondlbmd.dll"	Blhpqhlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiimel.dll"	Idkkpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfpecg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmcdffmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpggamqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll"	Cidjbmcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljalni32.dll"	Bbnkonbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epndknin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mojhgbdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffjcopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdhiojo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gglpibgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll"	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fganqbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nijeec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqndhcdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkalh32.dll"	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jilnqqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnkcekm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll"	Jgnqgqan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqipio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjglocmi.dll"	Lndham32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4168	3232	fa9bcbdc1909353e9a36e302a9228551.exe	83
PID 3232 wrote to memory of 4168	3232	fa9bcbdc1909353e9a36e302a9228551.exe	83
PID 3232 wrote to memory of 4168	3232	fa9bcbdc1909353e9a36e302a9228551.exe	83
PID 4168 wrote to memory of 4584	4168	Ngpccdlj.exe	84
PID 4168 wrote to memory of 4584	4168	Ngpccdlj.exe	84
PID 4168 wrote to memory of 4584	4168	Ngpccdlj.exe	84
PID 4584 wrote to memory of 1952	4584	Nlmllkja.exe	87
PID 4584 wrote to memory of 1952	4584	Nlmllkja.exe	87
PID 4584 wrote to memory of 1952	4584	Nlmllkja.exe	87
PID 1952 wrote to memory of 3160	1952	Ncfdie32.exe	86
PID 1952 wrote to memory of 3160	1952	Ncfdie32.exe	86
PID 1952 wrote to memory of 3160	1952	Ncfdie32.exe	86
PID 3160 wrote to memory of 1608	3160	Neeqea32.exe	85
PID 3160 wrote to memory of 1608	3160	Neeqea32.exe	85
PID 3160 wrote to memory of 1608	3160	Neeqea32.exe	85
PID 1608 wrote to memory of 3208	1608	Npjebj32.exe	136
PID 1608 wrote to memory of 3208	1608	Npjebj32.exe	136
PID 1608 wrote to memory of 3208	1608	Npjebj32.exe	136
PID 3208 wrote to memory of 1432	3208	Ncianepl.exe	135
PID 3208 wrote to memory of 1432	3208	Ncianepl.exe	135
PID 3208 wrote to memory of 1432	3208	Ncianepl.exe	135
PID 1432 wrote to memory of 3256	1432	Nlaegk32.exe	134
PID 1432 wrote to memory of 3256	1432	Nlaegk32.exe	134
PID 1432 wrote to memory of 3256	1432	Nlaegk32.exe	134
PID 3256 wrote to memory of 3860	3256	Nckndeni.exe	88
PID 3256 wrote to memory of 3860	3256	Nckndeni.exe	88
PID 3256 wrote to memory of 3860	3256	Nckndeni.exe	88
PID 3860 wrote to memory of 2860	3860	Njefqo32.exe	133
PID 3860 wrote to memory of 2860	3860	Njefqo32.exe	133
PID 3860 wrote to memory of 2860	3860	Njefqo32.exe	133
PID 2860 wrote to memory of 1372	2860	Olcbmj32.exe	132
PID 2860 wrote to memory of 1372	2860	Olcbmj32.exe	132
PID 2860 wrote to memory of 1372	2860	Olcbmj32.exe	132
PID 1372 wrote to memory of 1844	1372	Ocnjidkf.exe	131
PID 1372 wrote to memory of 1844	1372	Ocnjidkf.exe	131
PID 1372 wrote to memory of 1844	1372	Ocnjidkf.exe	131
PID 1844 wrote to memory of 1424	1844	Ojgbfocc.exe	130
PID 1844 wrote to memory of 1424	1844	Ojgbfocc.exe	130
PID 1844 wrote to memory of 1424	1844	Ojgbfocc.exe	130
PID 1424 wrote to memory of 3392	1424	Oncofm32.exe	129
PID 1424 wrote to memory of 3392	1424	Oncofm32.exe	129
PID 1424 wrote to memory of 3392	1424	Oncofm32.exe	129
PID 3392 wrote to memory of 1716	3392	Odmgcgbi.exe	127
PID 3392 wrote to memory of 1716	3392	Odmgcgbi.exe	127
PID 3392 wrote to memory of 1716	3392	Odmgcgbi.exe	127
PID 1716 wrote to memory of 1096	1716	Ogkcpbam.exe	126
PID 1716 wrote to memory of 1096	1716	Ogkcpbam.exe	126
PID 1716 wrote to memory of 1096	1716	Ogkcpbam.exe	126
PID 1096 wrote to memory of 3396	1096	Ojjolnaq.exe	124
PID 1096 wrote to memory of 3396	1096	Ojjolnaq.exe	124
PID 1096 wrote to memory of 3396	1096	Ojjolnaq.exe	124
PID 3396 wrote to memory of 1836	3396	Opdghh32.exe	123
PID 3396 wrote to memory of 1836	3396	Opdghh32.exe	123
PID 3396 wrote to memory of 1836	3396	Opdghh32.exe	123
PID 1836 wrote to memory of 828	1836	Ofqpqo32.exe	122
PID 1836 wrote to memory of 828	1836	Ofqpqo32.exe	122
PID 1836 wrote to memory of 828	1836	Ofqpqo32.exe	122
PID 828 wrote to memory of 2516	828	Olkhmi32.exe	121
PID 828 wrote to memory of 2516	828	Olkhmi32.exe	121
PID 828 wrote to memory of 2516	828	Olkhmi32.exe	121
PID 2516 wrote to memory of 4008	2516	Ocdqjceo.exe	120
PID 2516 wrote to memory of 4008	2516	Ocdqjceo.exe	120
PID 2516 wrote to memory of 4008	2516	Ocdqjceo.exe	120
PID 4008 wrote to memory of 908	4008	Ojoign32.exe	89

C:\Users\Admin\AppData\Local\Temp\fa9bcbdc1909353e9a36e302a9228551.exe
"C:\Users\Admin\AppData\Local\Temp\fa9bcbdc1909353e9a36e302a9228551.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Nlmllkja.exe
    C:\Windows\system32\Nlmllkja.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Ncfdie32.exe
      C:\Windows\system32\Ncfdie32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1952

C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\Ncianepl.exe
  C:\Windows\system32\Ncianepl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3208

C:\Windows\SysWOW64\Neeqea32.exe
C:\Windows\system32\Neeqea32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860

C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
1⤵
- Executes dropped EXE
PID:908
- C:\Windows\SysWOW64\Ocgmpccl.exe
  C:\Windows\system32\Ocgmpccl.exe
  2⤵
  - Executes dropped EXE
  PID:3084

C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
1⤵
- Executes dropped EXE
PID:1012
- C:\Windows\SysWOW64\Pmdkch32.exe
  C:\Windows\system32\Pmdkch32.exe
  2⤵
  - Executes dropped EXE
  PID:5100

C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
1⤵
- Executes dropped EXE
PID:4748
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  - Executes dropped EXE
  PID:1044

C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
1⤵
- Executes dropped EXE
PID:4864
- C:\Windows\SysWOW64\Pgnilpah.exe
  C:\Windows\system32\Pgnilpah.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- - C:\Windows\SysWOW64\Qmkadgpo.exe
    C:\Windows\system32\Qmkadgpo.exe
    3⤵
    - Executes dropped EXE
    PID:1448

C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
1⤵
- Executes dropped EXE
PID:4000
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  - Executes dropped EXE
  PID:1804

C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828
- C:\Windows\SysWOW64\Aadifclh.exe
  C:\Windows\system32\Aadifclh.exe
  2⤵
  - Executes dropped EXE
  PID:900

C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
1⤵
- Executes dropped EXE
PID:4736
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  - Executes dropped EXE
  PID:3572

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
1⤵
- Executes dropped EXE
PID:1324
- C:\Windows\SysWOW64\Baicac32.exe
  C:\Windows\system32\Baicac32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4416
- - C:\Windows\SysWOW64\Bgcknmop.exe
    C:\Windows\system32\Bgcknmop.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:3680
  - - C:\Windows\SysWOW64\Bmpcfdmg.exe
      C:\Windows\system32\Bmpcfdmg.exe
      4⤵
      Executes dropped EXE
      PID:2016
    - - C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
      - C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        6⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        7⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        11⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Foqkdp32.exe
        
        C:\Windows\system32\Foqkdp32.exe
        13⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Gglpibgm.exe
        
        C:\Windows\system32\Gglpibgm.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Gaadfkgc.exe
        
        C:\Windows\system32\Gaadfkgc.exe
        15⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Ggnlobej.exe
        
        C:\Windows\system32\Ggnlobej.exe
        16⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        17⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Gohaeo32.exe
        
        C:\Windows\system32\Gohaeo32.exe
        18⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Gfbibikg.exe
        
        C:\Windows\system32\Gfbibikg.exe
        19⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        20⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Gnmnfkia.exe
        
        C:\Windows\system32\Gnmnfkia.exe
        21⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Ggeboaob.exe
        
        C:\Windows\system32\Ggeboaob.exe
        22⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Hakgmjoh.exe
        
        C:\Windows\system32\Hakgmjoh.exe
        23⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Hghoeqmp.exe
        
        C:\Windows\system32\Hghoeqmp.exe
        24⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Hoogfnnb.exe
        
        C:\Windows\system32\Hoogfnnb.exe
        25⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Hfipbh32.exe
        
        C:\Windows\system32\Hfipbh32.exe
        26⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Hhgloc32.exe
        
        C:\Windows\system32\Hhgloc32.exe
        27⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Hoadkn32.exe
        
        C:\Windows\system32\Hoadkn32.exe
        28⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Hfklhhcl.exe
        
        C:\Windows\system32\Hfklhhcl.exe
        29⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Hhihdcbp.exe
        
        C:\Windows\system32\Hhihdcbp.exe
        30⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Hbbmmi32.exe
        
        C:\Windows\system32\Hbbmmi32.exe
        31⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Hhlejcpm.exe
        
        C:\Windows\system32\Hhlejcpm.exe
        32⤵
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Hofmfmhj.exe
        
        C:\Windows\system32\Hofmfmhj.exe
        33⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Hfpecg32.exe
        
        C:\Windows\system32\Hfpecg32.exe
        34⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Hgabkoee.exe
        
        C:\Windows\system32\Hgabkoee.exe
        35⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Ibffhhek.exe
        
        C:\Windows\system32\Ibffhhek.exe
        36⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Idebdcdo.exe
        
        C:\Windows\system32\Idebdcdo.exe
        37⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Igcoqocb.exe
        
        C:\Windows\system32\Igcoqocb.exe
        38⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Ibicnh32.exe
        
        C:\Windows\system32\Ibicnh32.exe
        39⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Igfkfo32.exe
        
        C:\Windows\system32\Igfkfo32.exe
        40⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Ibkpcg32.exe
        
        C:\Windows\system32\Ibkpcg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4496
        
        C:\Windows\SysWOW64\Ighhln32.exe
        
        C:\Windows\system32\Ighhln32.exe
        42⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Inbqhhfj.exe
        
        C:\Windows\system32\Inbqhhfj.exe
        43⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Iigdfa32.exe
        
        C:\Windows\system32\Iigdfa32.exe
        44⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Indmnh32.exe
        
        C:\Windows\system32\Indmnh32.exe
        45⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ifleoe32.exe
        
        C:\Windows\system32\Ifleoe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Jkhngl32.exe
        
        C:\Windows\system32\Jkhngl32.exe
        47⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        48⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Jilnqqbj.exe
        
        C:\Windows\system32\Jilnqqbj.exe
        49⤵
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jnifigpa.exe
        
        C:\Windows\system32\Jnifigpa.exe
        50⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        51⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Jfbkpd32.exe
        
        C:\Windows\system32\Jfbkpd32.exe
        52⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        53⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Jbileede.exe
        
        C:\Windows\system32\Jbileede.exe
        54⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Jicdap32.exe
        
        C:\Windows\system32\Jicdap32.exe
        55⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Jpmlnjco.exe
        
        C:\Windows\system32\Jpmlnjco.exe
        56⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Jieagojp.exe
        
        C:\Windows\system32\Jieagojp.exe
        57⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kldmckic.exe
        
        C:\Windows\system32\Kldmckic.exe
        58⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Kelalp32.exe
        
        C:\Windows\system32\Kelalp32.exe
        59⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Kpbfii32.exe
        
        C:\Windows\system32\Kpbfii32.exe
        60⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Kflnfcgg.exe
        
        C:\Windows\system32\Kflnfcgg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Kpdboimg.exe
        
        C:\Windows\system32\Kpdboimg.exe
        62⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Keakgpko.exe
        
        C:\Windows\system32\Keakgpko.exe
        63⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Knippe32.exe
        
        C:\Windows\system32\Knippe32.exe
        64⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Khbdikip.exe
        
        C:\Windows\system32\Khbdikip.exe
        65⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Kfcdfbqo.exe
        
        C:\Windows\system32\Kfcdfbqo.exe
        66⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lhdqnj32.exe
        
        C:\Windows\system32\Lhdqnj32.exe
        67⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        68⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lehaho32.exe
        
        C:\Windows\system32\Lehaho32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpneegel.exe
        
        C:\Windows\system32\Lpneegel.exe
        70⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lblaabdp.exe
        
        C:\Windows\system32\Lblaabdp.exe
        71⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Lifjnm32.exe
        
        C:\Windows\system32\Lifjnm32.exe
        72⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Lldfjh32.exe
        
        C:\Windows\system32\Lldfjh32.exe
        73⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lfjjga32.exe
        
        C:\Windows\system32\Lfjjga32.exe
        74⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Llgcph32.exe
        
        C:\Windows\system32\Llgcph32.exe
        75⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Lbqklb32.exe
        
        C:\Windows\system32\Lbqklb32.exe
        76⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Likcilhh.exe
        
        C:\Windows\system32\Likcilhh.exe
        77⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Lpekef32.exe
        
        C:\Windows\system32\Lpekef32.exe
        78⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Leadnm32.exe
        
        C:\Windows\system32\Leadnm32.exe
        79⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mhppji32.exe
        
        C:\Windows\system32\Mhppji32.exe
        80⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mojhgbdl.exe
        
        C:\Windows\system32\Mojhgbdl.exe
        81⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mfaqhp32.exe
        
        C:\Windows\system32\Mfaqhp32.exe
        82⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mpieqeko.exe
        
        C:\Windows\system32\Mpieqeko.exe
        83⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Mbhamajc.exe
        
        C:\Windows\system32\Mbhamajc.exe
        84⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mibijk32.exe
        
        C:\Windows\system32\Mibijk32.exe
        85⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Mlpeff32.exe
        
        C:\Windows\system32\Mlpeff32.exe
        86⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Moobbb32.exe
        
        C:\Windows\system32\Moobbb32.exe
        87⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mffjcopi.exe
        
        C:\Windows\system32\Mffjcopi.exe
        88⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Mhgfkg32.exe
        
        C:\Windows\system32\Mhgfkg32.exe
        89⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Moaogand.exe
        
        C:\Windows\system32\Moaogand.exe
        90⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mifcejnj.exe
        
        C:\Windows\system32\Mifcejnj.exe
        91⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Mpqkad32.exe
        
        C:\Windows\system32\Mpqkad32.exe
        92⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mbognp32.exe
        
        C:\Windows\system32\Mbognp32.exe
        93⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        94⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Nlglfe32.exe
        
        C:\Windows\system32\Nlglfe32.exe
        95⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        96⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        97⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Npedmdab.exe
        
        C:\Windows\system32\Npedmdab.exe
        98⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nbcqiope.exe
        
        C:\Windows\system32\Nbcqiope.exe
        99⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Niniei32.exe
        
        C:\Windows\system32\Niniei32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Nlleaeff.exe
        
        C:\Windows\system32\Nlleaeff.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Ncfmno32.exe
        
        C:\Windows\system32\Ncfmno32.exe
        102⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        103⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        104⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Qoifflkg.exe
        
        C:\Windows\system32\Qoifflkg.exe
        105⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Qgpogili.exe
        
        C:\Windows\system32\Qgpogili.exe
        106⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Qjnkcekm.exe
        
        C:\Windows\system32\Qjnkcekm.exe
        107⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Qqhcpo32.exe
        
        C:\Windows\system32\Qqhcpo32.exe
        108⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        109⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Ajqgidij.exe
        
        C:\Windows\system32\Ajqgidij.exe
        110⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        111⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Aggegh32.exe
        
        C:\Windows\system32\Aggegh32.exe
        112⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        113⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        114⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Bjlgdc32.exe
        
        C:\Windows\system32\Bjlgdc32.exe
        115⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Bqfoamfj.exe
        
        C:\Windows\system32\Bqfoamfj.exe
        116⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Bgpgng32.exe
        
        C:\Windows\system32\Bgpgng32.exe
        117⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bqilgmdg.exe
        
        C:\Windows\system32\Bqilgmdg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Bmomlnjk.exe
        
        C:\Windows\system32\Bmomlnjk.exe
        119⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Bciehh32.exe
        
        C:\Windows\system32\Bciehh32.exe
        120⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Bjcmebie.exe
        
        C:\Windows\system32\Bjcmebie.exe
        121⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Bqmeal32.exe
        
        C:\Windows\system32\Bqmeal32.exe
        122⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        123⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Bihjfnmm.exe
        
        C:\Windows\system32\Bihjfnmm.exe
        124⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        125⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Cmfclm32.exe
        
        C:\Windows\system32\Cmfclm32.exe
        126⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        127⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Cimcan32.exe
        
        C:\Windows\system32\Cimcan32.exe
        128⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        129⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Ccchof32.exe
        
        C:\Windows\system32\Ccchof32.exe
        130⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        131⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Caghhk32.exe
        
        C:\Windows\system32\Caghhk32.exe
        132⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        133⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Cjomap32.exe
        
        C:\Windows\system32\Cjomap32.exe
        134⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Caienjfd.exe
        
        C:\Windows\system32\Caienjfd.exe
        135⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Cffmfadl.exe
        
        C:\Windows\system32\Cffmfadl.exe
        136⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Cidjbmcp.exe
        
        C:\Windows\system32\Cidjbmcp.exe
        137⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Dgejpd32.exe
        
        C:\Windows\system32\Dgejpd32.exe
        138⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Dmbbhkjf.exe
        
        C:\Windows\system32\Dmbbhkjf.exe
        139⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Dclkee32.exe
        
        C:\Windows\system32\Dclkee32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        141⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        142⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Dpckjfgg.exe
        
        C:\Windows\system32\Dpckjfgg.exe
        143⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        144⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        145⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Dabhdinj.exe
        
        C:\Windows\system32\Dabhdinj.exe
        146⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Dhlpqc32.exe
        
        C:\Windows\system32\Dhlpqc32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        148⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Daediilg.exe
        
        C:\Windows\system32\Daediilg.exe
        149⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        150⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        151⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ejdocm32.exe
        
        C:\Windows\system32\Ejdocm32.exe
        152⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Eangpgcl.exe
        
        C:\Windows\system32\Eangpgcl.exe
        153⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        154⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Ehhpla32.exe
        
        C:\Windows\system32\Ehhpla32.exe
        155⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        156⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        157⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Edopabqn.exe
        
        C:\Windows\system32\Edopabqn.exe
        158⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Filiii32.exe
        
        C:\Windows\system32\Filiii32.exe
        159⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Fpeafcfa.exe
        
        C:\Windows\system32\Fpeafcfa.exe
        160⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        161⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Fknbil32.exe
        
        C:\Windows\system32\Fknbil32.exe
        163⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Fagjfflb.exe
        
        C:\Windows\system32\Fagjfflb.exe
        164⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        165⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Fmnkkg32.exe
        
        C:\Windows\system32\Fmnkkg32.exe
        166⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        167⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Falcae32.exe
        
        C:\Windows\system32\Falcae32.exe
        168⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Fdkpma32.exe
        
        C:\Windows\system32\Fdkpma32.exe
        169⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Gkdhjknm.exe
        
        C:\Windows\system32\Gkdhjknm.exe
        170⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Gmcdffmq.exe
        
        C:\Windows\system32\Gmcdffmq.exe
        171⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Gdmmbq32.exe
        
        C:\Windows\system32\Gdmmbq32.exe
        172⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ggkiol32.exe
        
        C:\Windows\system32\Ggkiol32.exe
        173⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Gaamlecg.exe
        
        C:\Windows\system32\Gaamlecg.exe
        174⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Ggnedlao.exe
        
        C:\Windows\system32\Ggnedlao.exe
        175⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        176⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Gacjadad.exe
        
        C:\Windows\system32\Gacjadad.exe
        177⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Gdafnpqh.exe
        
        C:\Windows\system32\Gdafnpqh.exe
        178⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        179⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        180⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        181⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        182⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        183⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Hhbkinel.exe
        
        C:\Windows\system32\Hhbkinel.exe
        184⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        185⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Hdilnojp.exe
        
        C:\Windows\system32\Hdilnojp.exe
        186⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        187⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Hjedffig.exe
        
        C:\Windows\system32\Hjedffig.exe
        188⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Hncmmd32.exe
        
        C:\Windows\system32\Hncmmd32.exe
        189⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        190⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Hkgnfhnh.exe
        
        C:\Windows\system32\Hkgnfhnh.exe
        191⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        192⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Hpdfnolo.exe
        
        C:\Windows\system32\Hpdfnolo.exe
        193⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        194⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        195⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        196⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        197⤵
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        199⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Ijcahd32.exe
        
        C:\Windows\system32\Ijcahd32.exe
        200⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ihdafkdg.exe
        
        C:\Windows\system32\Ihdafkdg.exe
        201⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Inainbcn.exe
        
        C:\Windows\system32\Inainbcn.exe
        202⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Igjngh32.exe
        
        C:\Windows\system32\Igjngh32.exe
        203⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Ibobdqid.exe
        
        C:\Windows\system32\Ibobdqid.exe
        204⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Jhijqj32.exe
        
        C:\Windows\system32\Jhijqj32.exe
        205⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        206⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        207⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        208⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Jklphekp.exe
        
        C:\Windows\system32\Jklphekp.exe
        209⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        210⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Jqiipljg.exe
        
        C:\Windows\system32\Jqiipljg.exe
        211⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        212⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        213⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Jdgafjpn.exe
        
        C:\Windows\system32\Jdgafjpn.exe
        214⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Jjdjoane.exe
        
        C:\Windows\system32\Jjdjoane.exe
        215⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        216⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        217⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Kbmoen32.exe
        
        C:\Windows\system32\Kbmoen32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Kilpmh32.exe
        
        C:\Windows\system32\Kilpmh32.exe
        219⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        220⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Lbgalmej.exe
        
        C:\Windows\system32\Lbgalmej.exe
        221⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Leenhhdn.exe
        
        C:\Windows\system32\Leenhhdn.exe
        222⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Lkofdbkj.exe
        
        C:\Windows\system32\Lkofdbkj.exe
        223⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7784
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        225⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        226⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Ljdceo32.exe
        
        C:\Windows\system32\Ljdceo32.exe
        227⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Lbkkgl32.exe
        
        C:\Windows\system32\Lbkkgl32.exe
        228⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Lejgch32.exe
        
        C:\Windows\system32\Lejgch32.exe
        229⤵
        Drops file in System32 directory
        
        PID:8288
        
        C:\Windows\SysWOW64\Lghcocol.exe
        
        C:\Windows\system32\Lghcocol.exe
        230⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        231⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        232⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        233⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        234⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Mhoipb32.exe
        
        C:\Windows\system32\Mhoipb32.exe
        235⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Mecjif32.exe
        
        C:\Windows\system32\Mecjif32.exe
        236⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        237⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Miaboe32.exe
        
        C:\Windows\system32\Miaboe32.exe
        238⤵
        Drops file in System32 directory
        
        PID:8676
        
        C:\Windows\SysWOW64\Mjbogmdb.exe
        
        C:\Windows\system32\Mjbogmdb.exe
        239⤵
        Drops file in System32 directory
        
        PID:8720
        
        C:\Windows\SysWOW64\Mehcdfch.exe
        
        C:\Windows\system32\Mehcdfch.exe
        240⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        241⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Mblcnj32.exe
        
        C:\Windows\system32\Mblcnj32.exe
        242⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Mejpje32.exe
        
        C:\Windows\system32\Mejpje32.exe
        243⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Mldhfpib.exe
        
        C:\Windows\system32\Mldhfpib.exe
        244⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        245⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Naaqofgj.exe
        
        C:\Windows\system32\Naaqofgj.exe
        246⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Nihipdhl.exe
        
        C:\Windows\system32\Nihipdhl.exe
        247⤵
        Drops file in System32 directory
        
        PID:9056
        
        C:\Windows\SysWOW64\Nacmdf32.exe
        
        C:\Windows\system32\Nacmdf32.exe
        248⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        249⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9156
        
        C:\Windows\SysWOW64\Nliaao32.exe
        
        C:\Windows\system32\Nliaao32.exe
        250⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        251⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        252⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        253⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        254⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        255⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        256⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        257⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        258⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Nkqkhk32.exe
        
        C:\Windows\system32\Nkqkhk32.exe
        259⤵
        Drops file in System32 directory
        
        PID:8788
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        260⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        261⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        262⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        263⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        264⤵
        Drops file in System32 directory
        
        PID:9048
        
        C:\Windows\SysWOW64\Oehlkc32.exe
        
        C:\Windows\system32\Oehlkc32.exe
        265⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        266⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        267⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        268⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        269⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8524
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        271⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Ohkbbn32.exe
        
        C:\Windows\system32\Ohkbbn32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8764
        
        C:\Windows\SysWOW64\Okjnnj32.exe
        
        C:\Windows\system32\Okjnnj32.exe
        273⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        274⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        275⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        276⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        277⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        278⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Oimkbaed.exe
        
        C:\Windows\system32\Oimkbaed.exe
        279⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        280⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        281⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Piphgq32.exe
        
        C:\Windows\system32\Piphgq32.exe
        282⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Pcjiff32.exe
        
        C:\Windows\system32\Pcjiff32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9096
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        284⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        285⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        286⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Pekbga32.exe
        
        C:\Windows\system32\Pekbga32.exe
        287⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        288⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Pocfpf32.exe
        
        C:\Windows\system32\Pocfpf32.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8528
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        290⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        291⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Qebhhp32.exe
        
        C:\Windows\system32\Qebhhp32.exe
        293⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        294⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        295⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Ajpqnneo.exe
        
        C:\Windows\system32\Ajpqnneo.exe
        296⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        297⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Aomifecf.exe
        
        C:\Windows\system32\Aomifecf.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9344
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        299⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        300⤵
        Modifies registry class
        
        PID:9428
        
        C:\Windows\SysWOW64\Akffafgg.exe
        
        C:\Windows\system32\Akffafgg.exe
        301⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Ajggomog.exe
        
        C:\Windows\system32\Ajggomog.exe
        302⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        303⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        304⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\Blhpqhlh.exe
        
        C:\Windows\system32\Blhpqhlh.exe
        305⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9632
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        306⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Bbdhiojo.exe
        
        C:\Windows\system32\Bbdhiojo.exe
        307⤵
        Modifies registry class
        
        PID:9716
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9764
        
        C:\Windows\SysWOW64\Bohibc32.exe
        
        C:\Windows\system32\Bohibc32.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9804
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        310⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        311⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        312⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        313⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9972
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        314⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        315⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        316⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        317⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        318⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        319⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        320⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Cbeapmll.exe
        
        C:\Windows\system32\Cbeapmll.exe
        321⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        322⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Cjnffjkl.exe
        
        C:\Windows\system32\Cjnffjkl.exe
        323⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        324⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Dcigeooj.exe
        
        C:\Windows\system32\Dcigeooj.exe
        325⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        326⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Difpmfna.exe
        
        C:\Windows\system32\Difpmfna.exe
        327⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Dckdjomg.exe
        
        C:\Windows\system32\Dckdjomg.exe
        328⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        329⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        330⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Dfoiaj32.exe
        
        C:\Windows\system32\Dfoiaj32.exe
        331⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        332⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        333⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10128
        
        C:\Windows\SysWOW64\Eidlnd32.exe
        
        C:\Windows\system32\Eidlnd32.exe
        334⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        335⤵
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Eblpgjha.exe
        
        C:\Windows\system32\Eblpgjha.exe
        336⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        337⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        338⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        339⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        340⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        341⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        342⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Fdqfll32.exe
        
        C:\Windows\system32\Fdqfll32.exe
        343⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        344⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        345⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        346⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        347⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Ffclcgfn.exe
        
        C:\Windows\system32\Ffclcgfn.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9732
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        349⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        350⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Fbjmhh32.exe
        
        C:\Windows\system32\Fbjmhh32.exe
        351⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        352⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Gdlfhj32.exe
        
        C:\Windows\system32\Gdlfhj32.exe
        353⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        354⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        355⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Gfmojenc.exe
        
        C:\Windows\system32\Gfmojenc.exe
        356⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Gmggfp32.exe
        
        C:\Windows\system32\Gmggfp32.exe
        357⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        358⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9624
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        360⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        361⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        362⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10368
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        363⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        364⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        365⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        366⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        367⤵
        Drops file in System32 directory
        
        PID:10584
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        368⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        369⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        370⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        371⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        372⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        373⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        374⤵
        Drops file in System32 directory
        
        PID:10880
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        375⤵
        Drops file in System32 directory
        
        PID:10924
        
        C:\Windows\SysWOW64\Ipjedh32.exe
        
        C:\Windows\system32\Ipjedh32.exe
        376⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        377⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        378⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        379⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        380⤵
        Modifies registry class
        
        PID:11136
        
        C:\Windows\SysWOW64\Ikdcmpnl.exe
        
        C:\Windows\system32\Ikdcmpnl.exe
        381⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Jlfpdh32.exe
        
        C:\Windows\system32\Jlfpdh32.exe
        382⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Jcphab32.exe
        
        C:\Windows\system32\Jcphab32.exe
        383⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        384⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        385⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        386⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10412
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        387⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Jpfepf32.exe
        
        C:\Windows\system32\Jpfepf32.exe
        388⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10612
        
        C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        390⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        391⤵
        Drops file in System32 directory
        
        PID:10780
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        392⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        393⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        394⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        395⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        396⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        397⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        398⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        399⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        400⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\Kqdaadln.exe
        
        C:\Windows\system32\Kqdaadln.exe
        401⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        402⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        403⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10688
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        404⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\Kcejco32.exe
        
        C:\Windows\system32\Kcejco32.exe
        405⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        406⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        407⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        408⤵
        Drops file in System32 directory
        
        PID:10276
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        409⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        410⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        411⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        412⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        413⤵
        Modifies registry class
        
        PID:10272
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        414⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Lkchelci.exe
        
        C:\Windows\system32\Lkchelci.exe
        415⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10824
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        416⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        417⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        418⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        419⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        420⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        421⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        422⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        423⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        424⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        425⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        426⤵
        
        PID:11480
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        427⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        428⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        429⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        430⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        431⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        432⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        433⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11784
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        434⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        435⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        436⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        437⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        438⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        439⤵
        
        PID:12056
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        440⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        441⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        442⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        443⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        444⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        445⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        446⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        447⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        448⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        156⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        157⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        158⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        159⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        160⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:9192
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        162⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        163⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        164⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        165⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        166⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        167⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        168⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        169⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        170⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        171⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        172⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        173⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        174⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        175⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        176⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8448
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        178⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        179⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        180⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9356
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        182⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        183⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        184⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        185⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        186⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        187⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8668
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        189⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        190⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9820
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        192⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        193⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        194⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        195⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        196⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        197⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        198⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        199⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9692
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        201⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        202⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        203⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        204⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        205⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8156
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        207⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        208⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        209⤵
        Drops file in System32 directory
        
        PID:10052
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        210⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        211⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        212⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8860 -s 400
        213⤵
        Program crash
        
        PID:9484
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        154⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        155⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        156⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        157⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        158⤵
        
        PID:6968

C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
1⤵
- Executes dropped EXE
PID:676

C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4464

C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1816

C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\Nlaegk32.exe
C:\Windows\system32\Nlaegk32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\Onpjichj.exe
C:\Windows\system32\Onpjichj.exe
1⤵
PID:11608
- C:\Windows\SysWOW64\Ojgjndno.exe
  C:\Windows\system32\Ojgjndno.exe
  2⤵
  PID:11688
- - C:\Windows\SysWOW64\Olfghg32.exe
    C:\Windows\system32\Olfghg32.exe
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\Odalmibl.exe
      C:\Windows\system32\Odalmibl.exe
      4⤵
      PID:11852
    - - C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        5⤵
        
        PID:11892
      - C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        7⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        8⤵
        
        PID:12124

C:\Windows\SysWOW64\Plbfdekd.exe
C:\Windows\system32\Plbfdekd.exe
1⤵
PID:12200
- C:\Windows\SysWOW64\Paoollik.exe
  C:\Windows\system32\Paoollik.exe
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\Pkgcea32.exe
    C:\Windows\system32\Pkgcea32.exe
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\Qemhbj32.exe
      C:\Windows\system32\Qemhbj32.exe
      4⤵
      PID:11336
    - - C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        5⤵
        
        PID:3412
      - C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        6⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        7⤵
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        8⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        9⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        10⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        11⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        12⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        14⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        15⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        16⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3616
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        18⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        19⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        20⤵
        Drops file in System32 directory
        
        PID:12232
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        21⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        22⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        23⤵
        
        PID:4016

C:\Windows\SysWOW64\Bnoknihb.exe
C:\Windows\system32\Bnoknihb.exe
1⤵
PID:2036
- C:\Windows\SysWOW64\Clchbqoo.exe
  C:\Windows\system32\Clchbqoo.exe
  2⤵
  PID:11464
- - C:\Windows\SysWOW64\Ckhecmcf.exe
    C:\Windows\system32\Ckhecmcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:3232
  - - C:\Windows\SysWOW64\Cfnjpfcl.exe
      C:\Windows\system32\Cfnjpfcl.exe
      4⤵
      PID:1952
    - - C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11676
      - C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        6⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        7⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        8⤵
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        9⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        10⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        11⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1096
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        13⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3648
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        15⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        16⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        17⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        18⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        19⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        20⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        21⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3444
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        23⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11516
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:540
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        26⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        27⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        28⤵
        Drops file in System32 directory
        
        PID:11736
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        29⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        30⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        31⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        32⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        33⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        34⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        35⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        36⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        37⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        38⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        39⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        40⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        41⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        42⤵
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        43⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        44⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        45⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        46⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        47⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        48⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        49⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        50⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        51⤵
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        52⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        53⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        54⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        55⤵
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        56⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        57⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        58⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        59⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        60⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        61⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        62⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        63⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        64⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        65⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        66⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        67⤵
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        68⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        69⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        70⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        71⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        72⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        73⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        74⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        75⤵
        
        PID:2124

C:\Windows\SysWOW64\Iedjmioj.exe
C:\Windows\system32\Iedjmioj.exe
1⤵
PID:5096
- C:\Windows\SysWOW64\Ipjoja32.exe
  C:\Windows\system32\Ipjoja32.exe
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\Iefgbh32.exe
    C:\Windows\system32\Iefgbh32.exe
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\Joahqn32.exe
      C:\Windows\system32\Joahqn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:4556
    - - C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        6⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3976
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        8⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        9⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        10⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        11⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2480
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        14⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4592

C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
1⤵
PID:4360
- C:\Windows\SysWOW64\Klfaapbl.exe
  C:\Windows\system32\Klfaapbl.exe
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\Kcpjnjii.exe
    C:\Windows\system32\Kcpjnjii.exe
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\Klhnfo32.exe
      C:\Windows\system32\Klhnfo32.exe
      4⤵
      PID:3712
    - - C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        5⤵
        
        PID:4576
      - C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        6⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        7⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        10⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        11⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        12⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        13⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        14⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        15⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        16⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        17⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        18⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        19⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        20⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        21⤵
        Modifies registry class
        
        PID:5784

C:\Windows\SysWOW64\Mfhbga32.exe
C:\Windows\system32\Mfhbga32.exe
1⤵
PID:3576
- C:\Windows\SysWOW64\Nqmfdj32.exe
  C:\Windows\system32\Nqmfdj32.exe
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\Njhgbp32.exe
    C:\Windows\system32\Njhgbp32.exe
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\Nglhld32.exe
      C:\Windows\system32\Nglhld32.exe
      4⤵
      PID:3956
    - - C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        6⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        7⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        9⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        11⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        12⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        13⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        14⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        15⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        16⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        17⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        18⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        19⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        20⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        21⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        22⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        23⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        24⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        25⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        26⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        28⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        29⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        30⤵
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        31⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        32⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        33⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        34⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        35⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        36⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        37⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        38⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        39⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        40⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        41⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        42⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        43⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        44⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        45⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        47⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        48⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        49⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        50⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        51⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        52⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        53⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        54⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        55⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        56⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        57⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        58⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        59⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        60⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        61⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7008

C:\Windows\SysWOW64\Dnonkq32.exe
C:\Windows\system32\Dnonkq32.exe
1⤵
PID:5576
- C:\Windows\SysWOW64\Dqpfmlce.exe
  C:\Windows\system32\Dqpfmlce.exe
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\Dndgfpbo.exe
    C:\Windows\system32\Dndgfpbo.exe
    3⤵
    PID:6636
  - - C:\Windows\SysWOW64\Dhikci32.exe
      C:\Windows\system32\Dhikci32.exe
      4⤵
      PID:6260
    - - C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        5⤵
        
        PID:228
      - C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        6⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        7⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        8⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        9⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        11⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        12⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        13⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        14⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        15⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        16⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        17⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        18⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        19⤵
        
        PID:4676

C:\Windows\SysWOW64\Fkhpfbce.exe
C:\Windows\system32\Fkhpfbce.exe
1⤵
PID:4776
- C:\Windows\SysWOW64\Fbdehlip.exe
  C:\Windows\system32\Fbdehlip.exe
  2⤵
  PID:6564
- - C:\Windows\SysWOW64\Fganqbgg.exe
    C:\Windows\system32\Fganqbgg.exe
    3⤵
    - Modifies registry class
    PID:7036
  - - C:\Windows\SysWOW64\Fajbjh32.exe
      C:\Windows\system32\Fajbjh32.exe
      4⤵
      PID:2828
    - - C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
      - C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        6⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        7⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        9⤵
        
        PID:6972

C:\Windows\SysWOW64\Hnlodjpa.exe
C:\Windows\system32\Hnlodjpa.exe
1⤵
PID:6384
- C:\Windows\SysWOW64\Hhdcmp32.exe
  C:\Windows\system32\Hhdcmp32.exe
  2⤵
  PID:6256

C:\Windows\SysWOW64\Halhfe32.exe
C:\Windows\system32\Halhfe32.exe
1⤵
PID:7572
- C:\Windows\SysWOW64\Hlblcn32.exe
  C:\Windows\system32\Hlblcn32.exe
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\Hifmmb32.exe
    C:\Windows\system32\Hifmmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6848

C:\Windows\SysWOW64\Ibqnkh32.exe
C:\Windows\system32\Ibqnkh32.exe
1⤵
PID:6620
- C:\Windows\SysWOW64\Ieojgc32.exe
  C:\Windows\system32\Ieojgc32.exe
  2⤵
  PID:6148
- - C:\Windows\SysWOW64\Ihmfco32.exe
    C:\Windows\system32\Ihmfco32.exe
    3⤵
    PID:6296
  - - C:\Windows\SysWOW64\Ihpcinld.exe
      C:\Windows\system32\Ihpcinld.exe
      4⤵
      PID:6604
    - - C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        5⤵
        
        PID:6688
      - C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        6⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        7⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        8⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        9⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        10⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        11⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        12⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        13⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        16⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        17⤵
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        19⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        20⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        21⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        22⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        23⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        24⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        25⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        26⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        27⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        28⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        29⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        30⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        31⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        32⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        33⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        34⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        35⤵
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        36⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        37⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        38⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8216
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        40⤵
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        41⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        42⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        44⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        45⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        46⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        47⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        48⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        49⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        50⤵
        
        PID:7280

C:\Windows\SysWOW64\Ofgdcipq.exe
C:\Windows\system32\Ofgdcipq.exe
1⤵
PID:7804
- C:\Windows\SysWOW64\Pmhbqbae.exe
  C:\Windows\system32\Pmhbqbae.exe
  2⤵
  PID:7676

C:\Windows\SysWOW64\Ppikbm32.exe
C:\Windows\system32\Ppikbm32.exe
1⤵
PID:7768
- C:\Windows\SysWOW64\Pjoppf32.exe
  C:\Windows\system32\Pjoppf32.exe
  2⤵
  - Drops file in System32 directory
  PID:7596
- - C:\Windows\SysWOW64\Pcgdhkem.exe
    C:\Windows\system32\Pcgdhkem.exe
    3⤵
    PID:7856
  - - C:\Windows\SysWOW64\Pidlqb32.exe
      C:\Windows\system32\Pidlqb32.exe
      4⤵
      PID:7304

C:\Windows\SysWOW64\Pjcikejg.exe
C:\Windows\system32\Pjcikejg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6868
- C:\Windows\SysWOW64\Qbonoghb.exe
  C:\Windows\system32\Qbonoghb.exe
  2⤵
  PID:8680
- - C:\Windows\SysWOW64\Qjffpe32.exe
    C:\Windows\system32\Qjffpe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:8628
  - - C:\Windows\SysWOW64\Qmdblp32.exe
      C:\Windows\system32\Qmdblp32.exe
      4⤵
      PID:8692
    - - C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        5⤵
        Modifies registry class
        
        PID:8744
      - C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        6⤵
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8860 -ip 8860
1⤵
PID:6320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afgacokc.exe

Filesize
387KB

MD5
8f736f01b141323d984e18b30a363691

SHA1
41f1a917e8cc83384314dbefdb90961b7967fc35

SHA256
82bcab4820b7ef16281b2880b59acebee2d4675436ec72e44a934e25434deb1b

SHA512
3b82d29c29de38d1df9957507c26838daa727e617d46f6734471071db95ae0a423cf807b08afc2d43e2cc41b471470de75ef8141aa5049baa5d138d6be777b66

Download Submit
C:\Windows\SysWOW64\Bbiado32.exe

Filesize
387KB

MD5
30ecab58c721571a22c1f349286c8ba6

SHA1
8c0fe1ba0a995ece58148e96b8275f3b734483a5

SHA256
194e23904b981bc0af3d501772cf51515bf91b5dc95624032529fbbeedf00723

SHA512
b457ea278123b92ee514ad8960d209b06a843991ab67c5f62e4f137c83acbbd72c00122220052718afeb105e4224a99e38ac9aca664f47a26b0c2741394c05b7

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
387KB

MD5
e674d746c16c9f5185f7670cdaac4d73

SHA1
1df6d60c5b82f091e85b01046ffd573882047c11

SHA256
5588020e0b4dac3b98f80cef97049c9602758140aa48bff468d21136d229b291

SHA512
82dc1b83e0da236903554dad607251bfebf2017acf9f79df234e0d83df25b4d2a154eb605975570b6bcb7156d33ec40ad92a6693e58573403fdfd55785da3dfb

Download Submit
C:\Windows\SysWOW64\Cjnffjkl.exe

Filesize
387KB

MD5
3e3d42927c6f0fa55acc5aee78a65bf6

SHA1
54aeb82ea309918760ee6f259acbbf3afa442d35

SHA256
9a4b3bcfb3000b71a13bbee86dc86f760fd9dfae94a944550dc7c7775909f6a7

SHA512
b0f809da41fb0b062c680495511600cb27b1099a4589d8d064251c7bc7fa44d2471dd4f90011cfd8ae07bd1dc37c3193ca9275da26c494083f8351c8ba6a08ff

Download Submit
C:\Windows\SysWOW64\Ffclcgfn.exe

Filesize
387KB

MD5
268270f5f6673642a6e5cb4db73cacfa

SHA1
7b89c976fcbe9b650fdfcf8c74fb84dc86a14500

SHA256
5c4e997b7c2851acafc3f6a56e8506ed53ec7cff8802aaa38b92a39541fa5a11

SHA512
ca4332871d22f501ccf18b9f0cce65b9cabbc036939cdd609da7e2b2b6be385bc3ba3cb8d970b417fe8acd4562d2d13a58f6cbcbb2b69b776ce4fec1d6de002b

Download Submit
C:\Windows\SysWOW64\Hfipbh32.exe

Filesize
387KB

MD5
4e6a2c4738699f458970aac992025669

SHA1
fa5206ab86f2f56e3a1d34b35794e6b012f5c027

SHA256
a79621517f7180258b433272ef3ccdc85354cda15bd0550c812691b2f47674a1

SHA512
79455998f5b8a5c107a286c6be96562b1e581c91e2a12bf8a791beb6454a4e065b20e1888363ef71900f95ce03e052f236163dc59b62d278e308c2a0fd84a2c0

Download Submit
C:\Windows\SysWOW64\Hkfglb32.exe

Filesize
387KB

MD5
58718642be33edd94d443fe8f013e48c

SHA1
dd5043f8857a42b69534b3ab51374b23ee826d33

SHA256
8e837036b662450a6e6d43b37b5a8e281b888ee61a4d0cd2adb55c1e3c80fd7b

SHA512
824a5e69e1faa471167537db8e4d6a975b5f54bb945eb0f2a6aaa976e557b2d2927efe762d6a4d11e6241893cbc03700257dbcf0e8944def724c63982090ee3b

Download Submit
C:\Windows\SysWOW64\Injmcmej.exe

Filesize
387KB

MD5
3162ff340481168ed0d4d03483faf630

SHA1
88ff7ecdba1dca4f7a5217c1534e64e8e84bf916

SHA256
2af146dd14818239651d9da53650d265aa7666d1bfc6c119fbc18caab3a8c418

SHA512
97fcc5c8ac34ab56836d04d90350e1a77c48ed5edaf98ca0b9f900fe871751d2199eb705297e8c17bea58fef678e131c70e2efd1880dab77771cf14b35f770b4

Download Submit
C:\Windows\SysWOW64\Jilnqqbj.exe

Filesize
387KB

MD5
5e455314c996cd695f535a5451f7146d

SHA1
f87b7aa070618018921d9ccd216991127bd769a7

SHA256
4c0ca0bd9e8a24eca21c54dc6386442ed2cea13530d2837220f0c01c0bab4346

SHA512
a4872056eda93f9791dcadfd86d469f4405bf8c25a21b4d189a795155b6699a3301a41d4c2606517b1138101b3a6d565268cb5cc03d202fb59aa530310020486

Download Submit
C:\Windows\SysWOW64\Jpfepf32.exe

Filesize
387KB

MD5
1781b1b42a1e931414842a2a3c52b3ea

SHA1
e12336ae9d5dda8a72e3c59a7e1d58875eb36246

SHA256
9317068be3fc9e14257ef0377828a8a4a25002e65a04f7bc5ce2bbb9f941196c

SHA512
ec47428de00343ec11e52651671233ff48d49848e99fb96730140561870e03ab8253c479a27acf709d82be31ecc54b275d650e3c5ec2203d9af12d0dbd1652ea

Download Submit
C:\Windows\SysWOW64\Kflnfcgg.exe

Filesize
387KB

MD5
1eaa79af3a8708924c6f994a73d8e1c0

SHA1
647dfcad4b02f8e4b34ba925948358bc8f2a423e

SHA256
0be2cacc978b9e7dd2798eb2fcf76dcbb0ea435d304387221b714e10e85a4cb3

SHA512
a2c89f92130dce70fe24b415f0096978a138c1890deaebf69ee7131bbc9f7599e6edf204535649469b7a39e87d77056d1f8a3d62810d138d2c20342e80adede0

Download Submit
C:\Windows\SysWOW64\Kqphfe32.exe

Filesize
387KB

MD5
87704dade5676b1c53f80bd609c5433d

SHA1
9cad61d5701c4bc65acef1e2905027f9d154e77d

SHA256
93127fb6153a173412c4b1c2807daa6663e82248bd0ef50cf8ad8efde40428f1

SHA512
41934c4a621edf9bd08084ebd3bbbd1b2d8c65492d25a886d4236a33ed2fe30e2e9dae2a99dae674d2188af240f04cec5ec37df4f8fe8a08cb3d7cecd760bf02

Download Submit
C:\Windows\SysWOW64\Llhikacp.exe

Filesize
387KB

MD5
08cbe8d2b82ea0fda7f601624aa4671a

SHA1
87d162ddae2a5e5e30016d2bd6015a117147e1d1

SHA256
b28070a0c6deac79bc6bbad9899771cf99680dc2914be1501df9349543009cbd

SHA512
d7fb02536a9f12372b340566ba450c1db54460dac227b930735edd7b105cb1444c912d25c3cdd3561d76d5e7146eb64af296b5e777939ecc21444bbe8ac8d3f5

Download Submit
C:\Windows\SysWOW64\Lnnbqnjn.exe

Filesize
387KB

MD5
d504450a43ea9c7ae60aa64033ec07f0

SHA1
3fce59ce028f8719422eb01f11f668576ec82257

SHA256
d5d8e4a6ae4c0a2935161fa8c383cd967ce6ad554c56c2f9f1074b4c307c8742

SHA512
8b3e8e5767ffca04975a3643bd613a50cca24b2007f0c887ab6dceb2033c98c7ee6675a0d95c19d7debb3adda4407324a488af1c07802f65a5a66bfde97ab2dc

Download Submit
C:\Windows\SysWOW64\Lpekef32.exe

Filesize
387KB

MD5
44343dd1239ea45bfa18cc45c7639174

SHA1
74f4a4055ece5e1a1bec61c629241b6da745b56b

SHA256
b1f1a0e713b43f6d7b815187ae5cc70b8b8dae15ee5dd9839b872a53674b00d1

SHA512
c7305af029aaee93148d962c5cc87df3bbf4257904c74a464deecc511b251566d074e521d41ee5c2c9a2fbf16a84a28c1079cb7ed15e15fb7e2fbaf0d354cc33

Download Submit
C:\Windows\SysWOW64\Mecjif32.exe

Filesize
387KB

MD5
22fb7b1188db9db5ed7baa034b885dfc

SHA1
7ec323f15df21b62451cfe93be468fc15b018425

SHA256
9412bfa2db1202f6dbc5ab704f539aa1910c134310de97bf2b7a0956a15eb002

SHA512
ef0f94b8c7b6c418866bfeed9683f1c7fa898a88e607158502197d7b06b05a10773ddc95a56f95e1cc4d7f4d4055f719438b14eab6cd5c4d810f17916eb076d7

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
387KB

MD5
253fa9d94a0f71b31bfe4ac141feeddc

SHA1
f91e3156e10c32cea0f844e68248874488239f63

SHA256
f7b06d20ba26c786c8e2f5b8272a693ada6d89467a3a0d53c9ac25b557b64bf1

SHA512
d0aeca6a9040e5ca60593931cdfd1eab687b7e34c6e0b1de7f114ac80de653f5e54e385a32149263ba91063c652c478fd2bad8c767d65ec7a7f546b293a29a41

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
387KB

MD5
253fa9d94a0f71b31bfe4ac141feeddc

SHA1
f91e3156e10c32cea0f844e68248874488239f63

SHA256
f7b06d20ba26c786c8e2f5b8272a693ada6d89467a3a0d53c9ac25b557b64bf1

SHA512
d0aeca6a9040e5ca60593931cdfd1eab687b7e34c6e0b1de7f114ac80de653f5e54e385a32149263ba91063c652c478fd2bad8c767d65ec7a7f546b293a29a41

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
387KB

MD5
1f3e86fe9409194fba5272b1534f083e

SHA1
c97cbe29f840dcd068e412db1b1dcd9d6f281ae3

SHA256
02fc3278f42517cd43a75048e2badbe76b8fc5e671b894a48504604516071d43

SHA512
369ef447d72f2e332baf73e3a9402f6af05372f782d68c8a331b6e4e45ba6c78ea3022fd56c8d87d07dbd07c57cba748064c97c4f3c3a2288eabb9889f829089

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
387KB

MD5
1f3e86fe9409194fba5272b1534f083e

SHA1
c97cbe29f840dcd068e412db1b1dcd9d6f281ae3

SHA256
02fc3278f42517cd43a75048e2badbe76b8fc5e671b894a48504604516071d43

SHA512
369ef447d72f2e332baf73e3a9402f6af05372f782d68c8a331b6e4e45ba6c78ea3022fd56c8d87d07dbd07c57cba748064c97c4f3c3a2288eabb9889f829089

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
387KB

MD5
3eace741ded68fb79f8ed07ab7fca8d1

SHA1
75c06b1d54f8d3c1e73abdf60bead78441ec29e5

SHA256
5eb77b0182acbff940b1a9b8b0bc8e668ca07c7fcd8bb97649f83b942530c890

SHA512
19a588c39c724740b28a160b2667a1256134bf836cd7ca5075548586a35e68790d7de3b3b660d468aa4eb78ae959cb279768bfd3a1581f2bc2bb754d1e6e144f

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
387KB

MD5
3eace741ded68fb79f8ed07ab7fca8d1

SHA1
75c06b1d54f8d3c1e73abdf60bead78441ec29e5

SHA256
5eb77b0182acbff940b1a9b8b0bc8e668ca07c7fcd8bb97649f83b942530c890

SHA512
19a588c39c724740b28a160b2667a1256134bf836cd7ca5075548586a35e68790d7de3b3b660d468aa4eb78ae959cb279768bfd3a1581f2bc2bb754d1e6e144f

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
387KB

MD5
0c6d321a4345f061c8743fdd64734c49

SHA1
1dc84daa936d0dffc8df1a242ce42d3ec39d2612

SHA256
9a0aca7b0d95f518a1b71212f6bb04d241d843421308432b7ae41d7a08225e30

SHA512
0010d04f918b69c5d6aa3d1b7aa24aacdd2a7ae3b917feb30e52915637f4173e2ff3fab5b17451f9f2e2f761a9cde2e1b9272551dfb4621d4557d5c91f29abef

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
387KB

MD5
0c6d321a4345f061c8743fdd64734c49

SHA1
1dc84daa936d0dffc8df1a242ce42d3ec39d2612

SHA256
9a0aca7b0d95f518a1b71212f6bb04d241d843421308432b7ae41d7a08225e30

SHA512
0010d04f918b69c5d6aa3d1b7aa24aacdd2a7ae3b917feb30e52915637f4173e2ff3fab5b17451f9f2e2f761a9cde2e1b9272551dfb4621d4557d5c91f29abef

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
387KB

MD5
b4a3ab4c12b94bcbeda775033b2aa61e

SHA1
a96dad5c4b3de0f68b74877c93cf358a5ddef2d3

SHA256
3471e6642073cc587330bf977430d95b7d1b224689e1439c8461173d920ace56

SHA512
f5f419f88aa80f85cf375874a762045e6cad58b6fd09188dca638ca63300823f2397bdc565858e454bcd9556c37f655f485a8cd51bb60fe07b4090db5e954388

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
387KB

MD5
b4a3ab4c12b94bcbeda775033b2aa61e

SHA1
a96dad5c4b3de0f68b74877c93cf358a5ddef2d3

SHA256
3471e6642073cc587330bf977430d95b7d1b224689e1439c8461173d920ace56

SHA512
f5f419f88aa80f85cf375874a762045e6cad58b6fd09188dca638ca63300823f2397bdc565858e454bcd9556c37f655f485a8cd51bb60fe07b4090db5e954388

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
387KB

MD5
0c28da3b9ce4bac0273501cc878e42c8

SHA1
7290592bb30b498cd027416e69868b514e7e5f5b

SHA256
65019e950ef6074fdd36f4efd7c92a9e3dc96a99b8df8568bf2bb65a9cfbee3b

SHA512
19967acaa60716ba6a70d87d789165603e48c3670b9d0bd1f0cc9294a89026cf0d5830989700736961c10e8023be5f12089864d5a4a9f09bc27601af41151100

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
387KB

MD5
0c28da3b9ce4bac0273501cc878e42c8

SHA1
7290592bb30b498cd027416e69868b514e7e5f5b

SHA256
65019e950ef6074fdd36f4efd7c92a9e3dc96a99b8df8568bf2bb65a9cfbee3b

SHA512
19967acaa60716ba6a70d87d789165603e48c3670b9d0bd1f0cc9294a89026cf0d5830989700736961c10e8023be5f12089864d5a4a9f09bc27601af41151100

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
387KB

MD5
1c382470de8571a7d3ef23996e663274

SHA1
fce06c5848d9549e05d22d1016fcfd5d9b29400d

SHA256
22ee16659e50900dc3df24be0df1b821be6c1d84892f440006ad6c055ec7b3a2

SHA512
ab7f63711056f5b6fb9ea8dfc595f24ad1aa92323dd56fd44327590f192f4552b2b89aab4003fe1b88180b89ee443a988449ef4c47376547e98110feb2f9ab21

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
387KB

MD5
1c382470de8571a7d3ef23996e663274

SHA1
fce06c5848d9549e05d22d1016fcfd5d9b29400d

SHA256
22ee16659e50900dc3df24be0df1b821be6c1d84892f440006ad6c055ec7b3a2

SHA512
ab7f63711056f5b6fb9ea8dfc595f24ad1aa92323dd56fd44327590f192f4552b2b89aab4003fe1b88180b89ee443a988449ef4c47376547e98110feb2f9ab21

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
387KB

MD5
6eb855e7a76fe84be7ea159567408b5e

SHA1
e632c361f5f7c711f759845883e2556b1dfca9b1

SHA256
7fd49e6445d303503e9979b7216dffbe20a055615e880efa64f7f2c20034ed31

SHA512
43a857a08b9e06b7338c000eeff1f2d3068d21fcf8fa86d3990e3c2fac7e56bacd451b1b7e4507e00f1c9133d3caacef7f6983467aad72a5d07c5b2ddec163a9

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
387KB

MD5
6eb855e7a76fe84be7ea159567408b5e

SHA1
e632c361f5f7c711f759845883e2556b1dfca9b1

SHA256
7fd49e6445d303503e9979b7216dffbe20a055615e880efa64f7f2c20034ed31

SHA512
43a857a08b9e06b7338c000eeff1f2d3068d21fcf8fa86d3990e3c2fac7e56bacd451b1b7e4507e00f1c9133d3caacef7f6983467aad72a5d07c5b2ddec163a9

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
387KB

MD5
e2873d9b597c0eda6dcd3e7cc477731a

SHA1
b4eec1df0361d631c9ffd4dd65adc0dd9db70248

SHA256
4a52db3baeeb5c2031e16a0e7d67f037f21d91edfe0fcf4de157eae744c45f9a

SHA512
659b3d938864c90c4fda542070f99428352e0ce5a3869a45f83d92e03a65b7ceaf7dfdca938253809b1e38c0ca8a80fbb67ff9694dfc4b259e25a6ed98ecf040

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
387KB

MD5
e2873d9b597c0eda6dcd3e7cc477731a

SHA1
b4eec1df0361d631c9ffd4dd65adc0dd9db70248

SHA256
4a52db3baeeb5c2031e16a0e7d67f037f21d91edfe0fcf4de157eae744c45f9a

SHA512
659b3d938864c90c4fda542070f99428352e0ce5a3869a45f83d92e03a65b7ceaf7dfdca938253809b1e38c0ca8a80fbb67ff9694dfc4b259e25a6ed98ecf040

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
387KB

MD5
1650ef93c23f4d29a5d21a9fca13e972

SHA1
e19e79d2ba5474e68888103369880e6722db1f73

SHA256
be8e7586379f0cae7182f2344c7dccab0363c8e766b9bfa1c4616a1aab492802

SHA512
365f0d822062aa651458b824388fe74bd7452ba4bc6f17a91c6a3c5b605395a5ad066ce46e6dd53de3e4dcb5bef6625035fe36cd9bc3c850c21751ff824c9a21

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
387KB

MD5
1650ef93c23f4d29a5d21a9fca13e972

SHA1
e19e79d2ba5474e68888103369880e6722db1f73

SHA256
be8e7586379f0cae7182f2344c7dccab0363c8e766b9bfa1c4616a1aab492802

SHA512
365f0d822062aa651458b824388fe74bd7452ba4bc6f17a91c6a3c5b605395a5ad066ce46e6dd53de3e4dcb5bef6625035fe36cd9bc3c850c21751ff824c9a21

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
387KB

MD5
e408ad1dd87f0e5c4d622ebf4f2fea81

SHA1
58303148e9520de0d9248804ea48ea0162c1a532

SHA256
24c3fb71fc5c9cd70f75d920223b8e7702d577b78c646f643467a179bec6f802

SHA512
3bfd73987b5c0db900a2729cc6f3ac60aa55a190c8463148f72cffdfdfc0a48d61ba770b081852cc34ca8b829855ba2cc9a1f527f3e16a65793203db064079b1

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
387KB

MD5
e408ad1dd87f0e5c4d622ebf4f2fea81

SHA1
58303148e9520de0d9248804ea48ea0162c1a532

SHA256
24c3fb71fc5c9cd70f75d920223b8e7702d577b78c646f643467a179bec6f802

SHA512
3bfd73987b5c0db900a2729cc6f3ac60aa55a190c8463148f72cffdfdfc0a48d61ba770b081852cc34ca8b829855ba2cc9a1f527f3e16a65793203db064079b1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
387KB

MD5
c981de6312e89a14b2c74af56777fcb7

SHA1
4637b2b69c00ad652dbe4d337fdb51b40763a066

SHA256
4783edef9b844f188d2c3d5dc319d3820c128d25fad850840c7e9252523f5914

SHA512
d5d68e98478803008de0683d74f0ce69bfc5d4b8af60086ffcaa40dbf8abe01f98a3a77b77d00f057a69b68b29957f6bea6c5caf7d23e14f5e83593896ae4641

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
387KB

MD5
c981de6312e89a14b2c74af56777fcb7

SHA1
4637b2b69c00ad652dbe4d337fdb51b40763a066

SHA256
4783edef9b844f188d2c3d5dc319d3820c128d25fad850840c7e9252523f5914

SHA512
d5d68e98478803008de0683d74f0ce69bfc5d4b8af60086ffcaa40dbf8abe01f98a3a77b77d00f057a69b68b29957f6bea6c5caf7d23e14f5e83593896ae4641

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
387KB

MD5
37d069d701be1a79080c5f04cbca3b90

SHA1
abb004b0f451f56e703ca5372b53e47294d2e6b1

SHA256
f1cbfd853a9ae144e158ba48b4607e327061bff73848fd817791219328c66034

SHA512
7099257962b69db56e8dfe60ffe6d557bc6d4b601cd8222c1a542ea0632f3b034e69966c5931241c7ed15da919dbc6b51cac86485502643749ccafe7fd8d4824

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
387KB

MD5
37d069d701be1a79080c5f04cbca3b90

SHA1
abb004b0f451f56e703ca5372b53e47294d2e6b1

SHA256
f1cbfd853a9ae144e158ba48b4607e327061bff73848fd817791219328c66034

SHA512
7099257962b69db56e8dfe60ffe6d557bc6d4b601cd8222c1a542ea0632f3b034e69966c5931241c7ed15da919dbc6b51cac86485502643749ccafe7fd8d4824

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
387KB

MD5
4001f221f8ad06575371f9da995d6544

SHA1
8138095618a09482cbc544dcc1ac8719421a8397

SHA256
420008cca5ac42bd92c51aae6239e4ab3017fc092337105dcfebec80026f7d78

SHA512
1b5dc040435cd6aa900b710de1af5c20aa30650d665f15081573fad04224a816b6f959cd5cd199faa4227e2066d35a4e9abd701711391d9d9f624c5a83119585

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
387KB

MD5
4001f221f8ad06575371f9da995d6544

SHA1
8138095618a09482cbc544dcc1ac8719421a8397

SHA256
420008cca5ac42bd92c51aae6239e4ab3017fc092337105dcfebec80026f7d78

SHA512
1b5dc040435cd6aa900b710de1af5c20aa30650d665f15081573fad04224a816b6f959cd5cd199faa4227e2066d35a4e9abd701711391d9d9f624c5a83119585

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
387KB

MD5
9f30a33451d9df03fd732e4e8c59cc8a

SHA1
08eb9f8009158bb7d4c805fde2440c554fac74b7

SHA256
a0e7a6fe1deb4a868b80e3c40f6e8a4fc99de80b6f246f85021110d82dc071c6

SHA512
c07bef334e462f67e5b6826675c324fe497abdc71121ae202645b5b8adcc6a4d6163bff9a30be526778314694f9eff00ade3706f5573e6db581b58b41694ee19

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
387KB

MD5
9f30a33451d9df03fd732e4e8c59cc8a

SHA1
08eb9f8009158bb7d4c805fde2440c554fac74b7

SHA256
a0e7a6fe1deb4a868b80e3c40f6e8a4fc99de80b6f246f85021110d82dc071c6

SHA512
c07bef334e462f67e5b6826675c324fe497abdc71121ae202645b5b8adcc6a4d6163bff9a30be526778314694f9eff00ade3706f5573e6db581b58b41694ee19

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
387KB

MD5
a0705fa2307e50e4ae7ebd0643f126d1

SHA1
fd61609c516b15e393ecf5fa5b20be7fd6cb0738

SHA256
42aaef9817b547154483bb54fa7c430298f9918896e0d3a415553e05522bac73

SHA512
26937b9ca4975f455af3ad4139fa33725df5ac5052ac389545a13a154e07b4de5cea15f09882230f944427d39cc203f983f0c00f5325e2536ae722417eacf66d

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
387KB

MD5
a0705fa2307e50e4ae7ebd0643f126d1

SHA1
fd61609c516b15e393ecf5fa5b20be7fd6cb0738

SHA256
42aaef9817b547154483bb54fa7c430298f9918896e0d3a415553e05522bac73

SHA512
26937b9ca4975f455af3ad4139fa33725df5ac5052ac389545a13a154e07b4de5cea15f09882230f944427d39cc203f983f0c00f5325e2536ae722417eacf66d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
387KB

MD5
eef649e097061a38ffdceb8e68aa20fc

SHA1
7e9104641d546783f66ad4958df855f0f16c00c0

SHA256
1b08691ca84b3ecb2bce75ff5903e955fcd638a3efe44a1e324fef13b02a2e91

SHA512
88672329147565aa07999fc0ed8249a667051a6baf6478b0a73a7e8cee68e155274a81a0b92572e7f81d724c4f4058110f65628c62b871a4daf5a2b430c4ca9b

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
387KB

MD5
eef649e097061a38ffdceb8e68aa20fc

SHA1
7e9104641d546783f66ad4958df855f0f16c00c0

SHA256
1b08691ca84b3ecb2bce75ff5903e955fcd638a3efe44a1e324fef13b02a2e91

SHA512
88672329147565aa07999fc0ed8249a667051a6baf6478b0a73a7e8cee68e155274a81a0b92572e7f81d724c4f4058110f65628c62b871a4daf5a2b430c4ca9b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
387KB

MD5
edc9f7b1abdf29a8c1048c1be713b63c

SHA1
f93371473ad920438981e24e6a03fae273649884

SHA256
1999f0a89ca99b9987355e8bbfbf7ac8ba0ef4cbb8a9ab04e3a4ef0ccb5edc2e

SHA512
e2f5a7e72a4db86c6d558713f8b41c34579f38ebea8019614e28c8d941b219733ec678f90aada521469cdcf232c9a91dcf747086ff4967b9b6a31a85f4ad505d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
387KB

MD5
edc9f7b1abdf29a8c1048c1be713b63c

SHA1
f93371473ad920438981e24e6a03fae273649884

SHA256
1999f0a89ca99b9987355e8bbfbf7ac8ba0ef4cbb8a9ab04e3a4ef0ccb5edc2e

SHA512
e2f5a7e72a4db86c6d558713f8b41c34579f38ebea8019614e28c8d941b219733ec678f90aada521469cdcf232c9a91dcf747086ff4967b9b6a31a85f4ad505d

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
387KB

MD5
e4ff536a6bbde39dcdfeeda3fa953888

SHA1
4e4d9f32b13cfb12534d7aaad73fa6a4d2f6d6c4

SHA256
30932e67af2d3d378634e092b94adaad4ffd23982c2b36e22f0e0e215bd4610e

SHA512
29bb9b6c7bc1678df5c4bc8e269e5581e166d9462a1544aa030c60e894eaa194e10f4c57747687536258f33d0b01241e527565a9f1d41b42c21a8b3fbef1e48b

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
387KB

MD5
e4ff536a6bbde39dcdfeeda3fa953888

SHA1
4e4d9f32b13cfb12534d7aaad73fa6a4d2f6d6c4

SHA256
30932e67af2d3d378634e092b94adaad4ffd23982c2b36e22f0e0e215bd4610e

SHA512
29bb9b6c7bc1678df5c4bc8e269e5581e166d9462a1544aa030c60e894eaa194e10f4c57747687536258f33d0b01241e527565a9f1d41b42c21a8b3fbef1e48b

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
387KB

MD5
1667703fd437c9ad2e17f87aac5821b1

SHA1
0a1915f4974e15b576b86871e4a22169542c16ff

SHA256
6c52637633c6d14c676bbe95f6943e63e4f8c0a8947211749f9d9134f712125e

SHA512
82eee51db5aee95922022e35cdd8959fa75e33ac4de112dd32446c3d8631a977a637e9a87437f7e7b59b5e0928fd2acf165d493c26cce6a7c51e5ceac2ac2ad0

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
387KB

MD5
1667703fd437c9ad2e17f87aac5821b1

SHA1
0a1915f4974e15b576b86871e4a22169542c16ff

SHA256
6c52637633c6d14c676bbe95f6943e63e4f8c0a8947211749f9d9134f712125e

SHA512
82eee51db5aee95922022e35cdd8959fa75e33ac4de112dd32446c3d8631a977a637e9a87437f7e7b59b5e0928fd2acf165d493c26cce6a7c51e5ceac2ac2ad0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
387KB

MD5
d36d511c469897bb7cae336b7ccf5dfa

SHA1
d0b89e65c7726e39f20c5ad11202234af1743af5

SHA256
aa407013b2a4aec95954753c089770e3499b8ae6795b96a16f4f76ada04919fc

SHA512
1c51bdb1edee64e740368c597011d1b4010fa5a15d67e209a83de2a94ffe7cec07dcea9ad24c6e4feadfcf14f48f6352f2e4c25920e9d7e3cab2e2b3af62aa15

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
387KB

MD5
d36d511c469897bb7cae336b7ccf5dfa

SHA1
d0b89e65c7726e39f20c5ad11202234af1743af5

SHA256
aa407013b2a4aec95954753c089770e3499b8ae6795b96a16f4f76ada04919fc

SHA512
1c51bdb1edee64e740368c597011d1b4010fa5a15d67e209a83de2a94ffe7cec07dcea9ad24c6e4feadfcf14f48f6352f2e4c25920e9d7e3cab2e2b3af62aa15

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
387KB

MD5
ba1c1f2b77e02bf220f7cbfe7599a83f

SHA1
ad278fce23053ddbc97cb960d2052081222f897e

SHA256
ca904a4a0c79a33ee7c6ca125d3ab6a435903fca10999838b4d861ca5ff1c6e6

SHA512
bb9bf5ab5b66197956d137dcea69d94f3d1bcf4b445bb8a783ef488fac78b668f3ae4a0bd129ea609c231fcb4ea837f748f4156f2757ab6d1f7305e463a70790

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
387KB

MD5
ba1c1f2b77e02bf220f7cbfe7599a83f

SHA1
ad278fce23053ddbc97cb960d2052081222f897e

SHA256
ca904a4a0c79a33ee7c6ca125d3ab6a435903fca10999838b4d861ca5ff1c6e6

SHA512
bb9bf5ab5b66197956d137dcea69d94f3d1bcf4b445bb8a783ef488fac78b668f3ae4a0bd129ea609c231fcb4ea837f748f4156f2757ab6d1f7305e463a70790

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
387KB

MD5
9bfcafad3e555407190fd08c31745cd8

SHA1
566b9a2e8e6fb2dcf417a6200857f64866bde65c

SHA256
af9502b9fc7b46b0fcf1d36009b1e19ca419b4262eecfdd905ccfd34123c5ad9

SHA512
176ff42ea7354f408df71be3ec056cbd0b9b509084a912b5e0e3df724b7237b49a02dc7da47d71f18f0af9bfd691eed397f4faa117c7dabd77319c3d1f1d9f73

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
387KB

MD5
9bfcafad3e555407190fd08c31745cd8

SHA1
566b9a2e8e6fb2dcf417a6200857f64866bde65c

SHA256
af9502b9fc7b46b0fcf1d36009b1e19ca419b4262eecfdd905ccfd34123c5ad9

SHA512
176ff42ea7354f408df71be3ec056cbd0b9b509084a912b5e0e3df724b7237b49a02dc7da47d71f18f0af9bfd691eed397f4faa117c7dabd77319c3d1f1d9f73

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
387KB

MD5
cc121032965a2f6d8c723806e8db982e

SHA1
2f6a891d9b22e5170ffcadbfd3a6c8d52c09a999

SHA256
146875d79455fb2f50080be422d36edb5be7568f0ce257d014ddbee6b2d6a1bd

SHA512
ba7d053d79dffad0e76ce703b14b17ef2614efa9d255105c76c2c550c2c2aff9996d678e8f16da2f7f06768d3957b30004fe01070fa06aceeb71de2133d77815

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
387KB

MD5
cc121032965a2f6d8c723806e8db982e

SHA1
2f6a891d9b22e5170ffcadbfd3a6c8d52c09a999

SHA256
146875d79455fb2f50080be422d36edb5be7568f0ce257d014ddbee6b2d6a1bd

SHA512
ba7d053d79dffad0e76ce703b14b17ef2614efa9d255105c76c2c550c2c2aff9996d678e8f16da2f7f06768d3957b30004fe01070fa06aceeb71de2133d77815

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
387KB

MD5
4698d827f1b292ed1be08c22c27e5cf2

SHA1
db78d42737e1eeeb01ecff6005a4510a2fa98074

SHA256
61e1c46af8e8e9a3953862f90a9e17501d2d2c52c2fc018aac24a434ffb3d898

SHA512
140f101ae156429d2637395819a14b5adb183f73046704beb4d8c71fc1fe9cf2c0dcf6e1862cc389634f02741b9b33a23241988a6b1163e691b50f23a7eb346c

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
387KB

MD5
4698d827f1b292ed1be08c22c27e5cf2

SHA1
db78d42737e1eeeb01ecff6005a4510a2fa98074

SHA256
61e1c46af8e8e9a3953862f90a9e17501d2d2c52c2fc018aac24a434ffb3d898

SHA512
140f101ae156429d2637395819a14b5adb183f73046704beb4d8c71fc1fe9cf2c0dcf6e1862cc389634f02741b9b33a23241988a6b1163e691b50f23a7eb346c

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
387KB

MD5
81589929beb2f5c498455b20fa2c7c0d

SHA1
02ee50d90bb843cb18a60836804cac896e732e19

SHA256
a0d8443a9f83e3e6ccb4443f67aff0958ab6e326a4dac4743cf35bcdca78c423

SHA512
66f163f58c5218ac8fd37c610b8445c32f790a12dd6533cdcb8adf867ad45d86f1320ca9741007c208c8cfb6c015fc8984372ec511f3d60c3742272ca50f4883

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
387KB

MD5
81589929beb2f5c498455b20fa2c7c0d

SHA1
02ee50d90bb843cb18a60836804cac896e732e19

SHA256
a0d8443a9f83e3e6ccb4443f67aff0958ab6e326a4dac4743cf35bcdca78c423

SHA512
66f163f58c5218ac8fd37c610b8445c32f790a12dd6533cdcb8adf867ad45d86f1320ca9741007c208c8cfb6c015fc8984372ec511f3d60c3742272ca50f4883

Download Submit
C:\Windows\SysWOW64\Pemomqcn.exe

Filesize
320KB

MD5
e4aa7331dc4f5f89fc41daa054788a40

SHA1
eb5a5ea87c31f24849b78b8e24fc50e98c2e654a

SHA256
8b4c2a97ae666c876726b7d6f173bf1e9f77002bc386816c4da4fdf920bbc1e5

SHA512
9ed47d90b186f790a2c061a775145fb9fc1eccb0dd9b81e929b5adefe7d63e6e6629992da6dd5f3d2e68b73499021f369d62fb1e809a0f3f4ab3d3360355c8b4

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
387KB

MD5
9b829b4728b9fb4aedfd9f87fc41fa03

SHA1
a29e67f11d015905606a7d8e8ea450ab96766c3c

SHA256
cdb69695522ed72b9d20f777fdb91144ef681ae745313230fa3867b69421a4d4

SHA512
3c0694596b0949cc9a5c16e37d4ea98ca0fc07d21bf5d2160d94dc4b3503a5a3922219f848e3472da2fe2809847b5f62969a08e9d8bc6c8b7eef4ce70cdd19a9

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
387KB

MD5
9b829b4728b9fb4aedfd9f87fc41fa03

SHA1
a29e67f11d015905606a7d8e8ea450ab96766c3c

SHA256
cdb69695522ed72b9d20f777fdb91144ef681ae745313230fa3867b69421a4d4

SHA512
3c0694596b0949cc9a5c16e37d4ea98ca0fc07d21bf5d2160d94dc4b3503a5a3922219f848e3472da2fe2809847b5f62969a08e9d8bc6c8b7eef4ce70cdd19a9

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
387KB

MD5
4bb60ed686c073627702437f5d59c83a

SHA1
b43cab371200c0cccd18a22d4d2b7d736ea80bba

SHA256
8660c60e85a23d559b5ba403ac94cf85adbe393797ff58288909d46f238ea1b7

SHA512
722bd9d85d70e98a028e27f91eac718b53758b1dc56476f6c860c44ecc3d5a5baa89f90e00ecda5deea1fe466367a729e31751bf256179d4aa3897057c02ec40

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
387KB

MD5
4bb60ed686c073627702437f5d59c83a

SHA1
b43cab371200c0cccd18a22d4d2b7d736ea80bba

SHA256
8660c60e85a23d559b5ba403ac94cf85adbe393797ff58288909d46f238ea1b7

SHA512
722bd9d85d70e98a028e27f91eac718b53758b1dc56476f6c860c44ecc3d5a5baa89f90e00ecda5deea1fe466367a729e31751bf256179d4aa3897057c02ec40

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
387KB

MD5
46a14ce37abf5c741016b91183bc67b6

SHA1
8f339a4f13e84bca5848a9dd1e1c934fc18e0736

SHA256
09ba1f61c32f946060a37ddf8c04d296bfa412beade3348db936fc6e43b95581

SHA512
e01589221f5847100f0c7f058d5e4a0fef72200ed4ab968ae44c55b1c376389894f572a6a575a4f49064ed24f81d66c95729684b7bb1d75d63be80024832c3d3

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
387KB

MD5
46a14ce37abf5c741016b91183bc67b6

SHA1
8f339a4f13e84bca5848a9dd1e1c934fc18e0736

SHA256
09ba1f61c32f946060a37ddf8c04d296bfa412beade3348db936fc6e43b95581

SHA512
e01589221f5847100f0c7f058d5e4a0fef72200ed4ab968ae44c55b1c376389894f572a6a575a4f49064ed24f81d66c95729684b7bb1d75d63be80024832c3d3

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
387KB

MD5
8176820de4e72da26447ba1c8d17458f

SHA1
cc848627821fcf8311c4a4b3307e629141dba452

SHA256
5c5d2df425c0fb6f00ac00ef326adc273d89a399096b8cfdc65586edfc5ad24d

SHA512
0444d9df2bc5c3e179ecda92dc061c961a0ac3d6b356009508f3380757a2e4988bb0e2113a8df4f846ea7a4a634b3fe12fafe7b64b92d98523c4f71ae9241798

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
387KB

MD5
8176820de4e72da26447ba1c8d17458f

SHA1
cc848627821fcf8311c4a4b3307e629141dba452

SHA256
5c5d2df425c0fb6f00ac00ef326adc273d89a399096b8cfdc65586edfc5ad24d

SHA512
0444d9df2bc5c3e179ecda92dc061c961a0ac3d6b356009508f3380757a2e4988bb0e2113a8df4f846ea7a4a634b3fe12fafe7b64b92d98523c4f71ae9241798

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
387KB

MD5
ee2002e31a63361970d328ad435203af

SHA1
a11bf82d2ca2c65213417f10dd5797e3491b4e77

SHA256
dc6e0fb14916199189461d4c4ce2995d4ac33b3c91012dda35debd5538051ee4

SHA512
7da86c5ed89180afe3c00abd2cd5edf0ee21cac3c6663405254d2f9df7bb1e01869778a76d8730b7b89aec62cef0ad74cecf3a34a7f51265ac13173f58b3113c

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
387KB

MD5
ee2002e31a63361970d328ad435203af

SHA1
a11bf82d2ca2c65213417f10dd5797e3491b4e77

SHA256
dc6e0fb14916199189461d4c4ce2995d4ac33b3c91012dda35debd5538051ee4

SHA512
7da86c5ed89180afe3c00abd2cd5edf0ee21cac3c6663405254d2f9df7bb1e01869778a76d8730b7b89aec62cef0ad74cecf3a34a7f51265ac13173f58b3113c

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
387KB

MD5
7d3e7be9b84d7b0a7b2df0aed13c8187

SHA1
c8d92194e9186e7ff86c662c4dc0aa2671c90ee2

SHA256
a9a470b9a74e4d87dcedf5a14db63ef2ecb771f0a888830afef8bc743ba8f367

SHA512
f31c4929126cf1fe578dedc559c108a7de601af3b0aaae76f8509bcd484bdf5cd386d210e0681b0da48d1bd1bc2509f69023b76ae4cd93906a6563b2df4cfa33

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
387KB

MD5
7d3e7be9b84d7b0a7b2df0aed13c8187

SHA1
c8d92194e9186e7ff86c662c4dc0aa2671c90ee2

SHA256
a9a470b9a74e4d87dcedf5a14db63ef2ecb771f0a888830afef8bc743ba8f367

SHA512
f31c4929126cf1fe578dedc559c108a7de601af3b0aaae76f8509bcd484bdf5cd386d210e0681b0da48d1bd1bc2509f69023b76ae4cd93906a6563b2df4cfa33

Download Submit
memory/400-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads