e62280d56357b9fb444623f223d67f4fae6124fffea2a77e96a19bb363886356

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01e8ea9dc09bf3bafa54293587b66504.exe
Size

448KB
MD5

01e8ea9dc09bf3bafa54293587b66504
SHA1

04edaff2669f38184ed81478993ec76476d44895
SHA256

e62280d56357b9fb444623f223d67f4fae6124fffea2a77e96a19bb363886356
SHA512

cc55a744d8a0c495977c3e21d333548cbd7f54adfd61e04f2eb2e6cc10d9a99b4b7c923a9bf46df42162f6740acfb623bee133887d1921551435333642b0ea8b
SSDEEP

6144:T2ygO7T6DU6EHPQ///NR5fLYG3eujPQ///NR5fTvpBtsE5PQ///NR5fLYG3eujPY:s/NcZ7/Nbvjuj/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohqbhdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkipgpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmfbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphphj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlambk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bepmoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkaopp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeehkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qachgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgjhpcmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbmfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icdheded.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfglfdkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meefofek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacbhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpdaepai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqpamb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oidhlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjdebfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncabfkqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoknihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcbohigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfbobf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlbojee.exe

Executes dropped EXE 64 IoCs

pid	Process
3056	Imfdff32.exe
1872	Ibcmom32.exe
804	Jmhale32.exe
4208	Jfaedkdp.exe
1764	Jmknaell.exe
1916	Jefbfgig.exe
380	Jbjcolha.exe
4772	Jmpgldhg.exe
3160	Jblpek32.exe
1608	Jmbdbd32.exe
1740	Kboljk32.exe
4956	Kpeiioac.exe
3984	Kebbafoj.exe
4356	Klljnp32.exe
1892	Kfankifm.exe
1180	Kefkme32.exe
5096	Kplpjn32.exe
3868	Leihbeib.exe
1236	Lpnlpnih.exe
208	Lfhdlh32.exe
372	Lmbmibhb.exe
452	Liimncmf.exe
4448	Ldoaklml.exe
4400	Lepncd32.exe
3040	Lbdolh32.exe
4348	Lebkhc32.exe
3728	Mbfkbhpa.exe
2448	Mipcob32.exe
2300	Megdccmb.exe
4144	Mlampmdo.exe
1332	Miemjaci.exe
4568	Mdjagjco.exe
764	Melnob32.exe
3992	Mlefklpj.exe
5016	Mcpnhfhf.exe
652	Npcoakfp.exe
4048	Ncbknfed.exe
2560	Ogkcpbam.exe
4308	Olhlhjpd.exe
4280	Ofqpqo32.exe
4056	Olkhmi32.exe
2624	Pjeoglgc.exe
2676	Pqpgdfnp.exe
1036	Pgioqq32.exe
4896	Pmfhig32.exe
5088	Pcppfaka.exe
4052	Pnfdcjkg.exe
868	Pcbmka32.exe
884	Pfaigm32.exe
4040	Qceiaa32.exe
2008	Qjoankoi.exe
2408	Qqijje32.exe
912	Ajanck32.exe
1452	Ampkof32.exe
964	Acjclpcf.exe
3960	Ajckij32.exe
3144	Ambgef32.exe
1512	Aeiofcji.exe
4872	Afjlnk32.exe
1092	Andqdh32.exe
5160	Aabmqd32.exe
5200	Aglemn32.exe
5232	Aminee32.exe
5300	Accfbokl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nefped32.exe	Nafjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Hkdjfb32.exe	Hcmbee32.exe
File opened for modification	C:\Windows\SysWOW64\Jgkdbacp.exe	Jdmgfedl.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Mholheco.dll	Bcelmhen.exe
File created	C:\Windows\SysWOW64\Gcbpne32.dll	Mhdckaeo.exe
File created	C:\Windows\SysWOW64\Ecefqnel.exe	Ejlbhh32.exe
File created	C:\Windows\SysWOW64\Efccmidp.exe	Ecefqnel.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Inmdohhp.dll	Khgbqkhj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Klljnp32.exe
File created	C:\Windows\SysWOW64\Aijnep32.exe	Agiamhdo.exe
File created	C:\Windows\SysWOW64\Paihbi32.dll	Jhijqj32.exe
File created	C:\Windows\SysWOW64\Ekodjiol.exe	Eeelnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ifomll32.exe	Iohejo32.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Nnfgcd32.exe	Ncabfkqo.exe
File opened for modification	C:\Windows\SysWOW64\Ckclhn32.exe	Bdickcpo.exe
File created	C:\Windows\SysWOW64\Gmiadfmi.dll	Fmfgek32.exe
File opened for modification	C:\Windows\SysWOW64\Gpaihooo.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	Lhenai32.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Pjdhbppo.dll	Jpcapp32.exe
File created	C:\Windows\SysWOW64\Odlkfe32.dll	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Dnonkq32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Mcgckb32.dll	Iafkld32.exe
File created	C:\Windows\SysWOW64\Mpnmig32.dll	Johggfha.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Gbkdod32.exe	Gqkhda32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ljobpiql.exe	Kcejco32.exe
File opened for modification	C:\Windows\SysWOW64\Nfohgqlg.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Acpbbi32.exe	Aijnep32.exe
File created	C:\Windows\SysWOW64\Oqadgkdb.dll	Cdecgbfa.exe
File opened for modification	C:\Windows\SysWOW64\Ddgplado.exe	Dkokcl32.exe
File created	C:\Windows\SysWOW64\Dbbffdlq.exe	Dodjjimm.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Kbhmbdle.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Llodgnja.exe	Ljqhkckn.exe
File opened for modification	C:\Windows\SysWOW64\Gpmomo32.exe	Fbgbnkfm.exe
File opened for modification	C:\Windows\SysWOW64\Lhenai32.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Eafbmgad.exe
File opened for modification	C:\Windows\SysWOW64\Gphphj32.exe	Gmiclo32.exe
File opened for modification	C:\Windows\SysWOW64\Napjdpcn.exe	Nnbnhedj.exe
File opened for modification	C:\Windows\SysWOW64\Pmaffnce.exe	Plpjoe32.exe
File created	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Fdepgkgj.exe	Flngfn32.exe
File created	C:\Windows\SysWOW64\Jcdala32.exe	Jpfepf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gppcmeem.exe
File created	C:\Windows\SysWOW64\Bmeandma.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Gmiclo32.exe	Gkkgpc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8888	8516	WerFault.exe	995

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejalcgkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqmidndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjfnedho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmiclo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhefclee.dll"	Ecefqnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll"	Nclikl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flkdfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciggeb32.dll"	Bnoknihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anqlll32.dll"	Ohhnbhok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olicnfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhonib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljkifn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll"	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooiolbic.dll"	Qqffjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll"	Nlfelogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll"	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll"	Impliekg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoaed32.dll"	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll"	Apkjddke.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3056	2816	01e8ea9dc09bf3bafa54293587b66504.exe	90
PID 2816 wrote to memory of 3056	2816	01e8ea9dc09bf3bafa54293587b66504.exe	90
PID 2816 wrote to memory of 3056	2816	01e8ea9dc09bf3bafa54293587b66504.exe	90
PID 3056 wrote to memory of 1872	3056	Imfdff32.exe	91
PID 3056 wrote to memory of 1872	3056	Imfdff32.exe	91
PID 3056 wrote to memory of 1872	3056	Imfdff32.exe	91
PID 1872 wrote to memory of 804	1872	Ibcmom32.exe	92
PID 1872 wrote to memory of 804	1872	Ibcmom32.exe	92
PID 1872 wrote to memory of 804	1872	Ibcmom32.exe	92
PID 804 wrote to memory of 4208	804	Jmhale32.exe	174
PID 804 wrote to memory of 4208	804	Jmhale32.exe	174
PID 804 wrote to memory of 4208	804	Jmhale32.exe	174
PID 4208 wrote to memory of 1764	4208	Jfaedkdp.exe	173
PID 4208 wrote to memory of 1764	4208	Jfaedkdp.exe	173
PID 4208 wrote to memory of 1764	4208	Jfaedkdp.exe	173
PID 1764 wrote to memory of 1916	1764	Jmknaell.exe	93
PID 1764 wrote to memory of 1916	1764	Jmknaell.exe	93
PID 1764 wrote to memory of 1916	1764	Jmknaell.exe	93
PID 1916 wrote to memory of 380	1916	Jefbfgig.exe	94
PID 1916 wrote to memory of 380	1916	Jefbfgig.exe	94
PID 1916 wrote to memory of 380	1916	Jefbfgig.exe	94
PID 380 wrote to memory of 4772	380	Jbjcolha.exe	172
PID 380 wrote to memory of 4772	380	Jbjcolha.exe	172
PID 380 wrote to memory of 4772	380	Jbjcolha.exe	172
PID 4772 wrote to memory of 3160	4772	Jmpgldhg.exe	171
PID 4772 wrote to memory of 3160	4772	Jmpgldhg.exe	171
PID 4772 wrote to memory of 3160	4772	Jmpgldhg.exe	171
PID 3160 wrote to memory of 1608	3160	Jblpek32.exe	95
PID 3160 wrote to memory of 1608	3160	Jblpek32.exe	95
PID 3160 wrote to memory of 1608	3160	Jblpek32.exe	95
PID 1608 wrote to memory of 1740	1608	Jmbdbd32.exe	170
PID 1608 wrote to memory of 1740	1608	Jmbdbd32.exe	170
PID 1608 wrote to memory of 1740	1608	Jmbdbd32.exe	170
PID 1740 wrote to memory of 4956	1740	Kboljk32.exe	168
PID 1740 wrote to memory of 4956	1740	Kboljk32.exe	168
PID 1740 wrote to memory of 4956	1740	Kboljk32.exe	168
PID 4956 wrote to memory of 3984	4956	Kpeiioac.exe	167
PID 4956 wrote to memory of 3984	4956	Kpeiioac.exe	167
PID 4956 wrote to memory of 3984	4956	Kpeiioac.exe	167
PID 3984 wrote to memory of 4356	3984	Kebbafoj.exe	97
PID 3984 wrote to memory of 4356	3984	Kebbafoj.exe	97
PID 3984 wrote to memory of 4356	3984	Kebbafoj.exe	97
PID 4356 wrote to memory of 1892	4356	Klljnp32.exe	166
PID 4356 wrote to memory of 1892	4356	Klljnp32.exe	166
PID 4356 wrote to memory of 1892	4356	Klljnp32.exe	166
PID 1892 wrote to memory of 1180	1892	Kfankifm.exe	98
PID 1892 wrote to memory of 1180	1892	Kfankifm.exe	98
PID 1892 wrote to memory of 1180	1892	Kfankifm.exe	98
PID 1180 wrote to memory of 5096	1180	Kefkme32.exe	99
PID 1180 wrote to memory of 5096	1180	Kefkme32.exe	99
PID 1180 wrote to memory of 5096	1180	Kefkme32.exe	99
PID 5096 wrote to memory of 3868	5096	Kplpjn32.exe	100
PID 5096 wrote to memory of 3868	5096	Kplpjn32.exe	100
PID 5096 wrote to memory of 3868	5096	Kplpjn32.exe	100
PID 3868 wrote to memory of 1236	3868	Leihbeib.exe	164
PID 3868 wrote to memory of 1236	3868	Leihbeib.exe	164
PID 3868 wrote to memory of 1236	3868	Leihbeib.exe	164
PID 1236 wrote to memory of 208	1236	Lpnlpnih.exe	101
PID 1236 wrote to memory of 208	1236	Lpnlpnih.exe	101
PID 1236 wrote to memory of 208	1236	Lpnlpnih.exe	101
PID 208 wrote to memory of 372	208	Lfhdlh32.exe	122
PID 208 wrote to memory of 372	208	Lfhdlh32.exe	122
PID 208 wrote to memory of 372	208	Lfhdlh32.exe	122
PID 372 wrote to memory of 452	372	Lmbmibhb.exe	121

C:\Users\Admin\AppData\Local\Temp\01e8ea9dc09bf3bafa54293587b66504.exe
"C:\Users\Admin\AppData\Local\Temp\01e8ea9dc09bf3bafa54293587b66504.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Imfdff32.exe
  C:\Windows\system32\Imfdff32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\Ibcmom32.exe
    C:\Windows\system32\Ibcmom32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\Jmhale32.exe
      C:\Windows\system32\Jmhale32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208

C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\Jbjcolha.exe
  C:\Windows\system32\Jbjcolha.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\Jmpgldhg.exe
    C:\Windows\system32\Jmpgldhg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4772

C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1740

C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\Kfankifm.exe
  C:\Windows\system32\Kfankifm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1892

C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\Leihbeib.exe
    C:\Windows\system32\Leihbeib.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\Lpnlpnih.exe
      C:\Windows\system32\Lpnlpnih.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1236

C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Lmbmibhb.exe
  C:\Windows\system32\Lmbmibhb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:372

C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
1⤵
- Executes dropped EXE
PID:3040
- C:\Windows\SysWOW64\Lebkhc32.exe
  C:\Windows\system32\Lebkhc32.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- - C:\Windows\SysWOW64\Mbfkbhpa.exe
    C:\Windows\system32\Mbfkbhpa.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3728
  - - C:\Windows\SysWOW64\Mipcob32.exe
      C:\Windows\system32\Mipcob32.exe
      4⤵
      Executes dropped EXE
      PID:2448
    - - C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        5⤵
        
        PID:8400
      - C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        6⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        7⤵
        
        PID:4540
- - C:\Windows\SysWOW64\Naecop32.exe
    C:\Windows\system32\Naecop32.exe
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\Nmlddqem.exe
      C:\Windows\system32\Nmlddqem.exe
      4⤵
      PID:2448
- C:\Windows\SysWOW64\Nnfgcd32.exe
  C:\Windows\system32\Nnfgcd32.exe
  2⤵
  PID:4348

C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
1⤵
- Executes dropped EXE
PID:2300
- C:\Windows\SysWOW64\Mlampmdo.exe
  C:\Windows\system32\Mlampmdo.exe
  2⤵
  - Executes dropped EXE
  PID:4144

C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
1⤵
- Executes dropped EXE
PID:1332
- C:\Windows\SysWOW64\Mdjagjco.exe
  C:\Windows\system32\Mdjagjco.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4568

C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764
- C:\Windows\SysWOW64\Mlefklpj.exe
  C:\Windows\system32\Mlefklpj.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- - C:\Windows\SysWOW64\Mcpnhfhf.exe
    C:\Windows\system32\Mcpnhfhf.exe
    3⤵
    - Executes dropped EXE
    PID:5016
  - - C:\Windows\SysWOW64\Npcoakfp.exe
      C:\Windows\system32\Npcoakfp.exe
      4⤵
      Executes dropped EXE
      PID:652
    - - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        5⤵
        Executes dropped EXE
        
        PID:4048
      - C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        6⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308

C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4400

C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- - C:\Windows\SysWOW64\Pjeoglgc.exe
    C:\Windows\system32\Pjeoglgc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:2624

C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\Liimncmf.exe
C:\Windows\system32\Liimncmf.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
1⤵
- Executes dropped EXE
PID:2676
- C:\Windows\SysWOW64\Pgioqq32.exe
  C:\Windows\system32\Pgioqq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:1036
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Executes dropped EXE
    PID:4896
  - - C:\Windows\SysWOW64\Pcppfaka.exe
      C:\Windows\system32\Pcppfaka.exe
      4⤵
      Executes dropped EXE
      PID:5088
    - - C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        5⤵
        Executes dropped EXE
        
        PID:4052
      - C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        9⤵
        Executes dropped EXE
        
        PID:2008

C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
1⤵
- Executes dropped EXE
PID:912
- C:\Windows\SysWOW64\Ampkof32.exe
  C:\Windows\system32\Ampkof32.exe
  2⤵
  - Executes dropped EXE
  PID:1452

C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
1⤵
- Executes dropped EXE
PID:964
- C:\Windows\SysWOW64\Ajckij32.exe
  C:\Windows\system32\Ajckij32.exe
  2⤵
  - Executes dropped EXE
  PID:3960

C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3144
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- - C:\Windows\SysWOW64\Afjlnk32.exe
    C:\Windows\system32\Afjlnk32.exe
    3⤵
    - Executes dropped EXE
    PID:4872
  - - C:\Windows\SysWOW64\Andqdh32.exe
      C:\Windows\system32\Andqdh32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1092
    - - C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        5⤵
        Executes dropped EXE
        
        PID:5160
      - C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5200

C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
1⤵
- Executes dropped EXE
PID:5232
- C:\Windows\SysWOW64\Accfbokl.exe
  C:\Windows\system32\Accfbokl.exe
  2⤵
  - Executes dropped EXE
  PID:5300
- - C:\Windows\SysWOW64\Bganhm32.exe
    C:\Windows\system32\Bganhm32.exe
    3⤵
    - Drops file in System32 directory
    PID:5340
  - - C:\Windows\SysWOW64\Bjokdipf.exe
      C:\Windows\system32\Bjokdipf.exe
      4⤵
      PID:5384
    - - C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        5⤵
        
        PID:5428
      - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        6⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516

C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
1⤵
PID:5576
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\Bnbmefbg.exe
    C:\Windows\system32\Bnbmefbg.exe
    3⤵
    PID:5672
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      PID:5712
    - - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        5⤵
        
        PID:5752

C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
1⤵
PID:5792
- C:\Windows\SysWOW64\Cabfga32.exe
  C:\Windows\system32\Cabfga32.exe
  2⤵
  - Drops file in System32 directory
  PID:5832
- - C:\Windows\SysWOW64\Chmndlge.exe
    C:\Windows\system32\Chmndlge.exe
    3⤵
    PID:5876
  - - C:\Windows\SysWOW64\Cmiflbel.exe
      C:\Windows\system32\Cmiflbel.exe
      4⤵
      PID:5916
    - - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        7⤵
        
        PID:6080

C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\Fdkggg32.exe
C:\Windows\system32\Fdkggg32.exe
1⤵
PID:2292
- C:\Windows\SysWOW64\Fkeodaai.exe
  C:\Windows\system32\Fkeodaai.exe
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\Gekcaj32.exe
    C:\Windows\system32\Gekcaj32.exe
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\Gkglja32.exe
      C:\Windows\system32\Gkglja32.exe
      4⤵
      PID:2956
    - - C:\Windows\SysWOW64\Gnfhfl32.exe
        
        C:\Windows\system32\Gnfhfl32.exe
        5⤵
        
        PID:5436
      - C:\Windows\SysWOW64\Gempgj32.exe
        
        C:\Windows\system32\Gempgj32.exe
        6⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Gkjhoq32.exe
        
        C:\Windows\system32\Gkjhoq32.exe
        7⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Gepmlimi.exe
        
        C:\Windows\system32\Gepmlimi.exe
        8⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ghniielm.exe
        
        C:\Windows\system32\Ghniielm.exe
        9⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Gafmaj32.exe
        
        C:\Windows\system32\Gafmaj32.exe
        10⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Gddinf32.exe
        
        C:\Windows\system32\Gddinf32.exe
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Gojnko32.exe
        
        C:\Windows\system32\Gojnko32.exe
        12⤵
        
        PID:4436

C:\Windows\SysWOW64\Gkaopp32.exe
C:\Windows\system32\Gkaopp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536
- C:\Windows\SysWOW64\Hakgmjoh.exe
  C:\Windows\system32\Hakgmjoh.exe
  2⤵
  PID:6088
- - C:\Windows\SysWOW64\Hheoid32.exe
    C:\Windows\system32\Hheoid32.exe
    3⤵
    PID:5168
  - - C:\Windows\SysWOW64\Hoogfnnb.exe
      C:\Windows\system32\Hoogfnnb.exe
      4⤵
      PID:5332
    - - C:\Windows\SysWOW64\Klkcdj32.exe
        
        C:\Windows\system32\Klkcdj32.exe
        5⤵
        
        PID:4904
      - C:\Windows\SysWOW64\Loeolc32.exe
        
        C:\Windows\system32\Loeolc32.exe
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Nbcqiope.exe
        
        C:\Windows\system32\Nbcqiope.exe
        7⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Npgabc32.exe
        
        C:\Windows\system32\Npgabc32.exe
        8⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Ncfmno32.exe
        
        C:\Windows\system32\Ncfmno32.exe
        9⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Npjnhc32.exe
        
        C:\Windows\system32\Npjnhc32.exe
        10⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Nchjdo32.exe
        
        C:\Windows\system32\Nchjdo32.exe
        11⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Nlqomd32.exe
        
        C:\Windows\system32\Nlqomd32.exe
        12⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\Ncjginjn.exe
        
        C:\Windows\system32\Ncjginjn.exe
        13⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        14⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Opogbbig.exe
        
        C:\Windows\system32\Opogbbig.exe
        15⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Ogpepl32.exe
        
        C:\Windows\system32\Ogpepl32.exe
        16⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Ohqbhdpj.exe
        
        C:\Windows\system32\Ohqbhdpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        18⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Pgflqkdd.exe
        
        C:\Windows\system32\Pgflqkdd.exe
        19⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        20⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Qgnbaj32.exe
        
        C:\Windows\system32\Qgnbaj32.exe
        21⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        22⤵
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Qqffjo32.exe
        
        C:\Windows\system32\Qqffjo32.exe
        23⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        24⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Qqhcpo32.exe
        
        C:\Windows\system32\Qqhcpo32.exe
        26⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        27⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        28⤵
        
        PID:944
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        29⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        30⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Amaqjp32.exe
        
        C:\Windows\system32\Amaqjp32.exe
        31⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Aobilkcl.exe
        
        C:\Windows\system32\Aobilkcl.exe
        32⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        33⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Aijnep32.exe
        
        C:\Windows\system32\Aijnep32.exe
        34⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Acpbbi32.exe
        
        C:\Windows\system32\Acpbbi32.exe
        35⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        37⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        38⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Bmmpfn32.exe
        
        C:\Windows\system32\Bmmpfn32.exe
        39⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        40⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Gnhnaf32.exe
        
        C:\Windows\system32\Gnhnaf32.exe
        41⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ghmbno32.exe
        
        C:\Windows\system32\Ghmbno32.exe
        42⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Hkjjlhle.exe
        
        C:\Windows\system32\Hkjjlhle.exe
        43⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        45⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Iahlcaol.exe
        
        C:\Windows\system32\Iahlcaol.exe
        46⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ihbdplfi.exe
        
        C:\Windows\system32\Ihbdplfi.exe
        47⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        48⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        49⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Iqmidndd.exe
        
        C:\Windows\system32\Iqmidndd.exe
        50⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Ihdafkdg.exe
        
        C:\Windows\system32\Ihdafkdg.exe
        51⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        52⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Ibmeoq32.exe
        
        C:\Windows\system32\Ibmeoq32.exe
        53⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ihgnkkbd.exe
        
        C:\Windows\system32\Ihgnkkbd.exe
        54⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ikejgf32.exe
        
        C:\Windows\system32\Ikejgf32.exe
        55⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        56⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        57⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Jhijqj32.exe
        
        C:\Windows\system32\Jhijqj32.exe
        58⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        59⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        60⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        61⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        62⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        63⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Jjopcb32.exe
        
        C:\Windows\system32\Jjopcb32.exe
        64⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Jbfheo32.exe
        
        C:\Windows\system32\Jbfheo32.exe
        65⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Jdedak32.exe
        
        C:\Windows\system32\Jdedak32.exe
        66⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Jgcamf32.exe
        
        C:\Windows\system32\Jgcamf32.exe
        67⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        68⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        69⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        70⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kelkaj32.exe
        
        C:\Windows\system32\Kelkaj32.exe
        71⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Kkfcndce.exe
        
        C:\Windows\system32\Kkfcndce.exe
        72⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        73⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        74⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Kageaj32.exe
        
        C:\Windows\system32\Kageaj32.exe
        75⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kgamnded.exe
        
        C:\Windows\system32\Kgamnded.exe
        76⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Kjpijpdg.exe
        
        C:\Windows\system32\Kjpijpdg.exe
        77⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        78⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        79⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Lbkkgl32.exe
        
        C:\Windows\system32\Lbkkgl32.exe
        80⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        81⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        82⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        83⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        84⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        85⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        86⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        87⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        88⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Mjpbam32.exe
        
        C:\Windows\system32\Mjpbam32.exe
        89⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        90⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Meefofek.exe
        
        C:\Windows\system32\Meefofek.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mhdckaeo.exe
        
        C:\Windows\system32\Mhdckaeo.exe
        92⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Mjbogmdb.exe
        
        C:\Windows\system32\Mjbogmdb.exe
        93⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Malgcg32.exe
        
        C:\Windows\system32\Malgcg32.exe
        94⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        95⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Mldhfpib.exe
        
        C:\Windows\system32\Mldhfpib.exe
        96⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Nemmoe32.exe
        
        C:\Windows\system32\Nemmoe32.exe
        97⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        98⤵
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        99⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        100⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        101⤵
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        102⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        103⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        104⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Oidhlb32.exe
        
        C:\Windows\system32\Oidhlb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Ooqqdi32.exe
        
        C:\Windows\system32\Ooqqdi32.exe
        106⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Olgncmim.exe
        
        C:\Windows\system32\Olgncmim.exe
        107⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        108⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        109⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        110⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        111⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        112⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        113⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        114⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Dckdjomg.exe
        
        C:\Windows\system32\Dckdjomg.exe
        115⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        116⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Dpdaepai.exe
        
        C:\Windows\system32\Dpdaepai.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8184
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        118⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7268
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        121⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        122⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        123⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        124⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        125⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        124⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        125⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        126⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        127⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        128⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        129⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        130⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        131⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        132⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        133⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        134⤵
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        135⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        136⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        137⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        138⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        139⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        140⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        141⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        142⤵
        Modifies registry class
        
        PID:14192
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        143⤵
        Modifies registry class
        
        PID:14244
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        144⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        145⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        146⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 400
        147⤵
        Program crash
        
        PID:8888

C:\Windows\SysWOW64\Eiieicml.exe
C:\Windows\system32\Eiieicml.exe
1⤵
PID:7708
- C:\Windows\SysWOW64\Fpbmfn32.exe
  C:\Windows\system32\Fpbmfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7772
- - C:\Windows\SysWOW64\Fjhacf32.exe
    C:\Windows\system32\Fjhacf32.exe
    3⤵
    PID:7860
  - - C:\Windows\SysWOW64\Fpejlmcf.exe
      C:\Windows\system32\Fpejlmcf.exe
      4⤵
      PID:7932
    - - C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        5⤵
        
        PID:7992
      - C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        6⤵
        
        PID:8044

C:\Windows\SysWOW64\Fpggamqc.exe
C:\Windows\system32\Fpggamqc.exe
1⤵
PID:8108
- C:\Windows\SysWOW64\Fjmkoeqi.exe
  C:\Windows\system32\Fjmkoeqi.exe
  2⤵
  PID:8156
- - C:\Windows\SysWOW64\Flngfn32.exe
    C:\Windows\system32\Flngfn32.exe
    3⤵
    - Drops file in System32 directory
    PID:7264
  - - C:\Windows\SysWOW64\Fdepgkgj.exe
      C:\Windows\system32\Fdepgkgj.exe
      4⤵
      PID:7344

C:\Windows\SysWOW64\Fibhpbea.exe
C:\Windows\system32\Fibhpbea.exe
1⤵
PID:7492
- C:\Windows\SysWOW64\Flqdlnde.exe
  C:\Windows\system32\Flqdlnde.exe
  2⤵
  PID:7564
- - C:\Windows\SysWOW64\Fjadje32.exe
    C:\Windows\system32\Fjadje32.exe
    3⤵
    PID:7668
  - - C:\Windows\SysWOW64\Gpnmbl32.exe
      C:\Windows\system32\Gpnmbl32.exe
      4⤵
      PID:7852
    - - C:\Windows\SysWOW64\Glengm32.exe
        
        C:\Windows\system32\Glengm32.exe
        5⤵
        
        PID:7956
      - C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        6⤵
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Glgjlm32.exe
        
        C:\Windows\system32\Glgjlm32.exe
        7⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        8⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        9⤵
        
        PID:7452

C:\Windows\SysWOW64\Gljgbllj.exe
C:\Windows\system32\Gljgbllj.exe
1⤵
PID:7696
- C:\Windows\SysWOW64\Gbdoof32.exe
  C:\Windows\system32\Gbdoof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6228
- - C:\Windows\SysWOW64\Gkkgpc32.exe
    C:\Windows\system32\Gkkgpc32.exe
    3⤵
    - Drops file in System32 directory
    PID:8052
  - - C:\Windows\SysWOW64\Gmiclo32.exe
      C:\Windows\system32\Gmiclo32.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:7216

C:\Windows\SysWOW64\Gphphj32.exe
C:\Windows\system32\Gphphj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7436
- C:\Windows\SysWOW64\Gbfldf32.exe
  C:\Windows\system32\Gbfldf32.exe
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\Gipdap32.exe
    C:\Windows\system32\Gipdap32.exe
    3⤵
    PID:8076

C:\Windows\SysWOW64\Hloqml32.exe
C:\Windows\system32\Hloqml32.exe
1⤵
PID:7212
- C:\Windows\SysWOW64\Hdehni32.exe
  C:\Windows\system32\Hdehni32.exe
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\Hgdejd32.exe
    C:\Windows\system32\Hgdejd32.exe
    3⤵
    PID:8164
  - - C:\Windows\SysWOW64\Hibafp32.exe
      C:\Windows\system32\Hibafp32.exe
      4⤵
      PID:7316

C:\Windows\SysWOW64\Hlambk32.exe
C:\Windows\system32\Hlambk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2328
- C:\Windows\SysWOW64\Hdhedh32.exe
  C:\Windows\system32\Hdhedh32.exe
  2⤵
  PID:8204

C:\Windows\SysWOW64\Hgfapd32.exe
C:\Windows\system32\Hgfapd32.exe
1⤵
PID:8244
- C:\Windows\SysWOW64\Hienlpel.exe
  C:\Windows\system32\Hienlpel.exe
  2⤵
  PID:8292
- - C:\Windows\SysWOW64\Hpofii32.exe
    C:\Windows\system32\Hpofii32.exe
    3⤵
    PID:8332
  - - C:\Windows\SysWOW64\Hcmbee32.exe
      C:\Windows\system32\Hcmbee32.exe
      4⤵
      Drops file in System32 directory
      PID:8376
    - - C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        5⤵
        
        PID:8416

C:\Windows\SysWOW64\Hmbfbn32.exe
C:\Windows\system32\Hmbfbn32.exe
1⤵
PID:8460
- C:\Windows\SysWOW64\Hpabni32.exe
  C:\Windows\system32\Hpabni32.exe
  2⤵
  PID:8504
- - C:\Windows\SysWOW64\Hcpojd32.exe
    C:\Windows\system32\Hcpojd32.exe
    3⤵
    PID:8548
  - - C:\Windows\SysWOW64\Hiiggoaf.exe
      C:\Windows\system32\Hiiggoaf.exe
      4⤵
      PID:8592

C:\Windows\SysWOW64\Hlhccj32.exe
C:\Windows\system32\Hlhccj32.exe
1⤵
PID:8632
- C:\Windows\SysWOW64\Hcblpdgg.exe
  C:\Windows\system32\Hcblpdgg.exe
  2⤵
  PID:8680
- - C:\Windows\SysWOW64\Hildmn32.exe
    C:\Windows\system32\Hildmn32.exe
    3⤵
    PID:8724
  - - C:\Windows\SysWOW64\Ipflihfq.exe
      C:\Windows\system32\Ipflihfq.exe
      4⤵
      PID:8772
    - - C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8816
      - C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        6⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        7⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        8⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        9⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        10⤵
        
        PID:9024

C:\Windows\SysWOW64\Iciaqc32.exe
C:\Windows\system32\Iciaqc32.exe
1⤵
PID:9068
- C:\Windows\SysWOW64\Ikpjbq32.exe
  C:\Windows\system32\Ikpjbq32.exe
  2⤵
  PID:9108
- - C:\Windows\SysWOW64\Ilafiihp.exe
    C:\Windows\system32\Ilafiihp.exe
    3⤵
    PID:9148

C:\Windows\SysWOW64\Idhnkf32.exe
C:\Windows\system32\Idhnkf32.exe
1⤵
PID:9192
- C:\Windows\SysWOW64\Iggjga32.exe
  C:\Windows\system32\Iggjga32.exe
  2⤵
  PID:8224

C:\Windows\SysWOW64\Inqbclob.exe
C:\Windows\system32\Inqbclob.exe
1⤵
PID:8280
- C:\Windows\SysWOW64\Ipoopgnf.exe
  C:\Windows\system32\Ipoopgnf.exe
  2⤵
  PID:8356
- - C:\Windows\SysWOW64\Igigla32.exe
    C:\Windows\system32\Igigla32.exe
    3⤵
    PID:8428
  - - C:\Windows\SysWOW64\Jjgchm32.exe
      C:\Windows\system32\Jjgchm32.exe
      4⤵
      PID:8512

C:\Windows\SysWOW64\Jlfpdh32.exe
C:\Windows\system32\Jlfpdh32.exe
1⤵
PID:8584
- C:\Windows\SysWOW64\Jdmgfedl.exe
  C:\Windows\system32\Jdmgfedl.exe
  2⤵
  - Drops file in System32 directory
  PID:8616
- - C:\Windows\SysWOW64\Jgkdbacp.exe
    C:\Windows\system32\Jgkdbacp.exe
    3⤵
    PID:8720
  - - C:\Windows\SysWOW64\Jlhljhbg.exe
      C:\Windows\system32\Jlhljhbg.exe
      4⤵
      PID:8752
    - - C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        5⤵
        
        PID:8844

C:\Windows\SysWOW64\Jgnqgqan.exe
C:\Windows\system32\Jgnqgqan.exe
1⤵
PID:8932
- C:\Windows\SysWOW64\Jjlmclqa.exe
  C:\Windows\system32\Jjlmclqa.exe
  2⤵
  PID:8976

C:\Windows\SysWOW64\Jlkipgpe.exe
C:\Windows\system32\Jlkipgpe.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9064
- C:\Windows\SysWOW64\Jpfepf32.exe
  C:\Windows\system32\Jpfepf32.exe
  2⤵
  - Drops file in System32 directory
  PID:9132
- - C:\Windows\SysWOW64\Jcdala32.exe
    C:\Windows\system32\Jcdala32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9200
  - - C:\Windows\SysWOW64\Jklinohd.exe
      C:\Windows\system32\Jklinohd.exe
      4⤵
      PID:8288
- - C:\Windows\SysWOW64\Pfncia32.exe
    C:\Windows\system32\Pfncia32.exe
    3⤵
    PID:8448
  - - C:\Windows\SysWOW64\Pkmhgh32.exe
      C:\Windows\system32\Pkmhgh32.exe
      4⤵
      PID:13408
    - - C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        5⤵
        
        PID:8268

C:\Windows\SysWOW64\Jlmfeg32.exe
C:\Windows\system32\Jlmfeg32.exe
1⤵
PID:8424
- C:\Windows\SysWOW64\Jcgnbaeo.exe
  C:\Windows\system32\Jcgnbaeo.exe
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\Jnlbojee.exe
    C:\Windows\system32\Jnlbojee.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:8608

C:\Windows\SysWOW64\Jgeghp32.exe
C:\Windows\system32\Jgeghp32.exe
1⤵
PID:8824
- C:\Windows\SysWOW64\Kclgmq32.exe
  C:\Windows\system32\Kclgmq32.exe
  2⤵
  PID:8968
- - C:\Windows\SysWOW64\Kkconn32.exe
    C:\Windows\system32\Kkconn32.exe
    3⤵
    PID:9116

C:\Windows\SysWOW64\Knalji32.exe
C:\Windows\system32\Knalji32.exe
1⤵
PID:4064
- C:\Windows\SysWOW64\Kcndbp32.exe
  C:\Windows\system32\Kcndbp32.exe
  2⤵
  PID:7664
- - C:\Windows\SysWOW64\Kqbdldnq.exe
    C:\Windows\system32\Kqbdldnq.exe
    3⤵
    PID:1920

C:\Windows\SysWOW64\Kcpahpmd.exe
C:\Windows\system32\Kcpahpmd.exe
1⤵
PID:3056
- C:\Windows\SysWOW64\Kjjiej32.exe
  C:\Windows\system32\Kjjiej32.exe
  2⤵
  PID:8568

C:\Windows\SysWOW64\Kdpmbc32.exe
C:\Windows\system32\Kdpmbc32.exe
1⤵
PID:8664
- C:\Windows\SysWOW64\Kgninn32.exe
  C:\Windows\system32\Kgninn32.exe
  2⤵
  PID:8764

C:\Windows\SysWOW64\Kjmfjj32.exe
C:\Windows\system32\Kjmfjj32.exe
1⤵
PID:4500
- C:\Windows\SysWOW64\Kmkbfeab.exe
  C:\Windows\system32\Kmkbfeab.exe
  2⤵
  PID:9032

C:\Windows\SysWOW64\Kcejco32.exe
C:\Windows\system32\Kcejco32.exe
1⤵
- Drops file in System32 directory
PID:9180
- C:\Windows\SysWOW64\Ljobpiql.exe
  C:\Windows\system32\Ljobpiql.exe
  2⤵
  PID:752
- - C:\Windows\SysWOW64\Lcggio32.exe
    C:\Windows\system32\Lcggio32.exe
    3⤵
    PID:8396

C:\Windows\SysWOW64\Ljaoeini.exe
C:\Windows\system32\Ljaoeini.exe
1⤵
PID:1460
- C:\Windows\SysWOW64\Ljclki32.exe
  C:\Windows\system32\Ljclki32.exe
  2⤵
  PID:8780
- - C:\Windows\SysWOW64\Ldipha32.exe
    C:\Windows\system32\Ldipha32.exe
    3⤵
    PID:4756

C:\Windows\SysWOW64\Lnadagbm.exe
C:\Windows\system32\Lnadagbm.exe
1⤵
PID:8200
- C:\Windows\SysWOW64\Lqpamb32.exe
  C:\Windows\system32\Lqpamb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2768

C:\Windows\SysWOW64\Lgjijmin.exe
C:\Windows\system32\Lgjijmin.exe
1⤵
PID:8316
- C:\Windows\SysWOW64\Ljhefhha.exe
  C:\Windows\system32\Ljhefhha.exe
  2⤵
  PID:1628

C:\Windows\SysWOW64\Lmgabcge.exe
C:\Windows\system32\Lmgabcge.exe
1⤵
PID:4532
- C:\Windows\SysWOW64\Mgaokl32.exe
  C:\Windows\system32\Mgaokl32.exe
  2⤵
  PID:664
- - C:\Windows\SysWOW64\Mmnhcb32.exe
    C:\Windows\system32\Mmnhcb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:3412

C:\Windows\SysWOW64\Lkchelci.exe
C:\Windows\system32\Lkchelci.exe
1⤵
PID:9020

C:\Windows\SysWOW64\Kdbjhbbd.exe
C:\Windows\system32\Kdbjhbbd.exe
1⤵
PID:4816

C:\Windows\SysWOW64\Jdfjld32.exe
C:\Windows\system32\Jdfjld32.exe
1⤵
PID:8736

C:\Windows\SysWOW64\Meepdp32.exe
C:\Windows\system32\Meepdp32.exe
1⤵
PID:1872
- C:\Windows\SysWOW64\Mkohaj32.exe
  C:\Windows\system32\Mkohaj32.exe
  2⤵
  PID:732
- - C:\Windows\SysWOW64\Megljppl.exe
    C:\Windows\system32\Megljppl.exe
    3⤵
    PID:9036
  - - C:\Windows\SysWOW64\Mjdebfnd.exe
      C:\Windows\system32\Mjdebfnd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:208
    - - C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        5⤵
        Modifies registry class
        
        PID:3476
      - C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        6⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        7⤵
        
        PID:8264

C:\Windows\SysWOW64\Ncofplba.exe
C:\Windows\system32\Ncofplba.exe
1⤵
PID:4868
- C:\Windows\SysWOW64\Njinmf32.exe
  C:\Windows\system32\Njinmf32.exe
  2⤵
  PID:9008

C:\Windows\SysWOW64\Oeehkn32.exe
C:\Windows\system32\Oeehkn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032
- C:\Windows\SysWOW64\Ohcegi32.exe
  C:\Windows\system32\Ohcegi32.exe
  2⤵
  PID:624

C:\Windows\SysWOW64\Ojbacd32.exe
C:\Windows\system32\Ojbacd32.exe
1⤵
PID:1612
- C:\Windows\SysWOW64\Omqmop32.exe
  C:\Windows\system32\Omqmop32.exe
  2⤵
  PID:4852

C:\Windows\SysWOW64\Oeheqm32.exe
C:\Windows\system32\Oeheqm32.exe
1⤵
PID:2288
- C:\Windows\SysWOW64\Olanmgig.exe
  C:\Windows\system32\Olanmgig.exe
  2⤵
  PID:8580
- - C:\Windows\SysWOW64\Onpjichj.exe
    C:\Windows\system32\Onpjichj.exe
    3⤵
    PID:3100
  - - C:\Windows\SysWOW64\Oanfen32.exe
      C:\Windows\system32\Oanfen32.exe
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        5⤵
        Modifies registry class
        
        PID:4412
      - C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        6⤵
        
        PID:4700

C:\Windows\SysWOW64\Ncabfkqo.exe
C:\Windows\system32\Ncabfkqo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3040

C:\Windows\SysWOW64\Oaqbkn32.exe
C:\Windows\system32\Oaqbkn32.exe
1⤵
PID:3284
- C:\Windows\SysWOW64\Odoogi32.exe
  C:\Windows\system32\Odoogi32.exe
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\Ojigdcll.exe
    C:\Windows\system32\Ojigdcll.exe
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\Oacoqnci.exe
      C:\Windows\system32\Oacoqnci.exe
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\Odalmibl.exe
        
        C:\Windows\system32\Odalmibl.exe
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        6⤵
        Modifies registry class
        
        PID:9260
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        7⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        8⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        9⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        10⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        11⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        12⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        13⤵
        Drops file in System32 directory
        
        PID:9600
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        14⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        15⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        16⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        17⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Pmcclm32.exe
        
        C:\Windows\system32\Pmcclm32.exe
        18⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        19⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        20⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        21⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        22⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10108
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        24⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        25⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2248
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        27⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        28⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        29⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        30⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        31⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        32⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        33⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        34⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1524
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        36⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        37⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        38⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        39⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10056
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        41⤵
        Drops file in System32 directory
        
        PID:10116
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        42⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        43⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        44⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        45⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        46⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        47⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        48⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        49⤵
        
        PID:1788

C:\Windows\SysWOW64\Cdecgbfa.exe
C:\Windows\system32\Cdecgbfa.exe
1⤵
- Drops file in System32 directory
PID:9496
- C:\Windows\SysWOW64\Dkokcl32.exe
  C:\Windows\system32\Dkokcl32.exe
  2⤵
  - Drops file in System32 directory
  PID:9500
- - C:\Windows\SysWOW64\Ddgplado.exe
    C:\Windows\system32\Ddgplado.exe
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\Dkahilkl.exe
      C:\Windows\system32\Dkahilkl.exe
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9768
      - C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        6⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        7⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        9⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        10⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        11⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        12⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        13⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        14⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        15⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        16⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        17⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        18⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        19⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        20⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        21⤵
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        22⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        23⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        24⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        25⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        26⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        27⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        28⤵
        Modifies registry class
        
        PID:10004
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        29⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        30⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        31⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        32⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        33⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        34⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        35⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        36⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        37⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        38⤵
        Modifies registry class
        
        PID:9732
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        39⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        40⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        41⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        42⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        43⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        44⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        45⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        46⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        47⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        48⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        49⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        50⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        51⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        52⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        54⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        55⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        56⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        57⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        58⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        60⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        61⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        62⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        63⤵
        
        PID:1432

C:\Windows\SysWOW64\Hlglidlo.exe
C:\Windows\system32\Hlglidlo.exe
1⤵
PID:5436
- C:\Windows\SysWOW64\Iliinc32.exe
  C:\Windows\system32\Iliinc32.exe
  2⤵
  PID:9932
- - C:\Windows\SysWOW64\Iohejo32.exe
    C:\Windows\system32\Iohejo32.exe
    3⤵
    - Drops file in System32 directory
    PID:5852
  - - C:\Windows\SysWOW64\Ifomll32.exe
      C:\Windows\system32\Ifomll32.exe
      4⤵
      Modifies registry class
      PID:5948
    - - C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        5⤵
        
        PID:5272
      - C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9860
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        8⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        10⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        11⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        12⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        13⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        14⤵
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        15⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        16⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        18⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        19⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        20⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        21⤵
        Drops file in System32 directory
        
        PID:10324
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        22⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        23⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        24⤵
        Modifies registry class
        
        PID:10468
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        25⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        26⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        27⤵
        Modifies registry class
        
        PID:10600
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        28⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        29⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        30⤵
        Modifies registry class
        
        PID:10784
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        31⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        32⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        33⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        34⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        35⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        36⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        37⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        38⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        39⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        40⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        41⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        42⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        43⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        44⤵
        Drops file in System32 directory
        
        PID:10416
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        45⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        46⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        47⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        48⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        49⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        50⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        51⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        52⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        53⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        54⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        55⤵
        Modifies registry class
        
        PID:10256
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        56⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        57⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        58⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        59⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        60⤵
        Modifies registry class
        
        PID:10772
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        61⤵
        Drops file in System32 directory
        
        PID:10832
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        62⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        63⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        64⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        65⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        66⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        67⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        68⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        69⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        70⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        71⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        72⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        73⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        74⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        75⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        76⤵
        Modifies registry class
        
        PID:10956
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        77⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        78⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        79⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        80⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        81⤵
        Drops file in System32 directory
        
        PID:11272
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        82⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        83⤵
        Drops file in System32 directory
        
        PID:11360
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        84⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        85⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        86⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        87⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        88⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        89⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        90⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        91⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        92⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        93⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        94⤵
        Modifies registry class
        
        PID:11884
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        95⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        96⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        97⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        98⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        99⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        100⤵
        Modifies registry class
        
        PID:12160
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        101⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        102⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11308
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        105⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        106⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        107⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        108⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11612
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        110⤵
        Modifies registry class
        
        PID:11664
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        111⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        112⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        113⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        114⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        115⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        116⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        117⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        118⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12196
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        120⤵
        Drops file in System32 directory
        
        PID:12260
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        121⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        122⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        123⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        124⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        125⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11656
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        127⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        128⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        129⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        130⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        131⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        132⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        133⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        134⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        135⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        136⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2084
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        138⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        139⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        140⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        141⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        142⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        143⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        144⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        145⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        147⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        148⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        149⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        150⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        152⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        153⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        154⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        155⤵
        
        PID:11720
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        156⤵
        Drops file in System32 directory
        
        PID:11748
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        157⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        158⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        159⤵
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        160⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        161⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        162⤵
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        163⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        164⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        165⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3968
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        167⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:12092
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12216
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        170⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        171⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        172⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        173⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        174⤵
        Drops file in System32 directory
        
        PID:12332
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        175⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        176⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        177⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        178⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        179⤵
        Drops file in System32 directory
        
        PID:12568
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        180⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        181⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        182⤵
        
        PID:12712
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        183⤵
        Modifies registry class
        
        PID:12760
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        184⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        185⤵
        Drops file in System32 directory
        
        PID:12848
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        186⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        187⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12980
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        189⤵
        
        PID:13028
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        190⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        191⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        192⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        193⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        194⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        195⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        196⤵
        
        PID:12324
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        197⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        198⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12552
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        200⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        201⤵
        
        PID:12648
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:12700
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        203⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        204⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        205⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        206⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        207⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        208⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        209⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        210⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        211⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        212⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        213⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        214⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        215⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        216⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:12356
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        219⤵
        
        PID:12496
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        220⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        221⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        222⤵
        Drops file in System32 directory
        
        PID:12632
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        223⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        224⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        225⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        226⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        227⤵
        Modifies registry class
        
        PID:12844
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        228⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        229⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        230⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        231⤵
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        232⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        233⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        234⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        235⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12300
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        237⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        238⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        239⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        240⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        241⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        242⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        243⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        244⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        245⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        246⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        247⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        248⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        249⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        250⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        251⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        252⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        253⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        254⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        255⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        256⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        257⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        258⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        259⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        260⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        261⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        262⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        263⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        264⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        265⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        266⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        267⤵
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        268⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        269⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        270⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        271⤵
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        272⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        273⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7628
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        275⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        276⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        277⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        278⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        279⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        280⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        281⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        282⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        283⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        285⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        286⤵
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        287⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        288⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        289⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        290⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        291⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        292⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7972
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        294⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        296⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        297⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        298⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        299⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        301⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        302⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        303⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        304⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        305⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        306⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        307⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        308⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        309⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        310⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        311⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        312⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        313⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        314⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        315⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        316⤵
        
        PID:13360
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13400
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        318⤵
        Drops file in System32 directory
        
        PID:13448
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        319⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        320⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13592
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        322⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        323⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        324⤵
        Modifies registry class
        
        PID:13720
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        325⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        326⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        327⤵
        Drops file in System32 directory
        
        PID:13844
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        328⤵
        
        PID:13888
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        329⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        330⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        331⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        332⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        333⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        334⤵
        Drops file in System32 directory
        
        PID:14156
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        335⤵
        Drops file in System32 directory
        
        PID:14200
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        336⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        337⤵
        Modifies registry class
        
        PID:14292
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        338⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        339⤵
        
        PID:13344
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        340⤵
        Modifies registry class
        
        PID:13444
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        341⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        342⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        343⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        344⤵
        Drops file in System32 directory
        
        PID:13712

C:\Windows\SysWOW64\Fkgillpj.exe
C:\Windows\system32\Fkgillpj.exe
1⤵
PID:8160
- C:\Windows\SysWOW64\Fdpnda32.exe
  C:\Windows\system32\Fdpnda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6444
- - C:\Windows\SysWOW64\Fnhbmgmk.exe
    C:\Windows\system32\Fnhbmgmk.exe
    3⤵
    PID:13916
  - - C:\Windows\SysWOW64\Fdbkja32.exe
      C:\Windows\system32\Fdbkja32.exe
      4⤵
      PID:13940
    - - C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        5⤵
        
        PID:7484
      - C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        6⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        7⤵
        Drops file in System32 directory
        
        PID:14100
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        8⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        9⤵
        
        PID:14260

C:\Windows\SysWOW64\Ggjjlk32.exe
C:\Windows\system32\Ggjjlk32.exe
1⤵
PID:14268
- C:\Windows\SysWOW64\Gcqjal32.exe
  C:\Windows\system32\Gcqjal32.exe
  2⤵
  PID:13340
- - C:\Windows\SysWOW64\Gbbkocid.exe
    C:\Windows\system32\Gbbkocid.exe
    3⤵
    - Modifies registry class
    PID:7948
  - - C:\Windows\SysWOW64\Hgocgjgk.exe
      C:\Windows\system32\Hgocgjgk.exe
      4⤵
      PID:8016
    - - C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        5⤵
        
        PID:13548
      - C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        6⤵
        
        PID:13644

C:\Windows\SysWOW64\Hjaioe32.exe
C:\Windows\system32\Hjaioe32.exe
1⤵
PID:13668
- C:\Windows\SysWOW64\Hbknebqi.exe
  C:\Windows\system32\Hbknebqi.exe
  2⤵
  PID:7524
- - C:\Windows\SysWOW64\Ilfodgeg.exe
    C:\Windows\system32\Ilfodgeg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:13912

C:\Windows\SysWOW64\Ijmhkchl.exe
C:\Windows\system32\Ijmhkchl.exe
1⤵
PID:7420
- C:\Windows\SysWOW64\Inkaqb32.exe
  C:\Windows\system32\Inkaqb32.exe
  2⤵
  PID:7932
- - C:\Windows\SysWOW64\Ihceigec.exe
    C:\Windows\system32\Ihceigec.exe
    3⤵
    PID:7988
  - - C:\Windows\SysWOW64\Jdjfohjg.exe
      C:\Windows\system32\Jdjfohjg.exe
      4⤵
      PID:7200
    - - C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        5⤵
        
        PID:14144
      - C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        6⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        7⤵
        
        PID:14264
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        8⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        9⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        10⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        11⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        12⤵
        
        PID:612
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        13⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        14⤵
        
        PID:8564

C:\Windows\SysWOW64\Llpchaqg.exe
C:\Windows\system32\Llpchaqg.exe
1⤵
PID:13692
- C:\Windows\SysWOW64\Mlbpma32.exe
  C:\Windows\system32\Mlbpma32.exe
  2⤵
  PID:7944
- - C:\Windows\SysWOW64\Mdnebc32.exe
    C:\Windows\system32\Mdnebc32.exe
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\Mlemcq32.exe
      C:\Windows\system32\Mlemcq32.exe
      4⤵
      PID:7660
    - - C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        5⤵
        
        PID:8868
      - C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        6⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        7⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        8⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        9⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        10⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        11⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        12⤵
        Modifies registry class
        
        PID:8728
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        13⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        14⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        16⤵
        Drops file in System32 directory
        
        PID:14076
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        17⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        18⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        19⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        20⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        21⤵
        
        PID:14236
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        22⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        23⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        24⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        25⤵
        
        PID:9132

C:\Windows\SysWOW64\Pcfmneaa.exe
C:\Windows\system32\Pcfmneaa.exe
1⤵
PID:13536
- C:\Windows\SysWOW64\Pomncfge.exe
  C:\Windows\system32\Pomncfge.exe
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\Qelcamcj.exe
    C:\Windows\system32\Qelcamcj.exe
    3⤵
    PID:3972
  - - C:\Windows\SysWOW64\Afnlpohj.exe
      C:\Windows\system32\Afnlpohj.exe
      4⤵
      Drops file in System32 directory
      PID:8556
    - - C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        5⤵
        
        PID:8656
      - C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        6⤵
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        7⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        8⤵
        
        PID:7520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8516 -ip 8516
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpdaepai.exe

Filesize
448KB

MD5
8c086df67ac1d01222c7c5de271308ce

SHA1
76ed19850d6ecb9fdb9de248802e49670690b3ef

SHA256
d5f8ad7be20985ba7adcc838351f6898d8727955b21ab72f4d14344c2a5a7058

SHA512
07f89059cdb0ce61d4b03332074f423a6621b99fefc0ba76ee9e94015c8a851876a65315f94bd0ac2afd4daab9de793fa7e3349926d7259ba3ff22a5528133aa

Download Submit
C:\Windows\SysWOW64\Eifhdd32.exe

Filesize
128KB

MD5
1256ba1f9043accac42d5b5470f93a18

SHA1
f9caa1603a65fab473f51eb875cc5cb326f21562

SHA256
9651230cc429da60a0f693fd8db53ae79088c80652825bdceaa8a82a154fcc46

SHA512
feaa374cdfa110f2caa5082c5f0b53c37e8306d009f10434ab8c5ee6dec3e994a108ef631c13b0911a833bbe729f24e209551f9019f46b79ef2f2035671ee3f4

Download Submit
C:\Windows\SysWOW64\Eppqqn32.exe

Filesize
85KB

MD5
459e848de3e13e506eae688f222a5a6d

SHA1
3ae040f480470a1e342f7fcf30a763735ce0136e

SHA256
91fe0ed30e80db6671c6ad1c0f29c024f222f90a7913e1aa90bf751739143846

SHA512
5e446d576c8eab0b8e3015b49a822576031fd965b72ec36002340d3d833a4898cd7cf80a18596490e9e207db93ceab5d1c870744b6ef96f2efc6ce89b8a99951

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
448KB

MD5
9a98f146392dcaa6f75a2c1b01e4c420

SHA1
b895dc84ff9194b4ea03207bfc00aaa85b5275a1

SHA256
a6479dd40d2d1cdbc681029733f6173bef7779466cd3bc0a37079ee2f97f7c5e

SHA512
cbc1440a9e4faaea86673df176b73e5356771023a8d50f67843d58a0093df78568a9140f20dad17c581ff709cdc9d60770b5c4aeed1cc62080431ad7ab0e5b5b

Download Submit
C:\Windows\SysWOW64\Fpejlmcf.exe

Filesize
448KB

MD5
843394b5bef0388a3daf503db2e2d09e

SHA1
7a30b34aa537f95aa44b91ffc2210b08081af5e3

SHA256
d592a64535e9ec896860b00e5e676e188202eb56397cd647ac9c2717b5118f0d

SHA512
6926374db3f766806ff629e9ae868e98240a929db069e6fbd28bbc3eec5ba1d78a04500cbee6b2115011351f8acf2f68e0a0a0f95a21aca8876374fd074e33b2

Download Submit
C:\Windows\SysWOW64\Gekcaj32.exe

Filesize
448KB

MD5
6825252726f64a09611d5ad7afacb3ed

SHA1
acdcd603d9b5f02e3ebc3cafc35aa156e674d885

SHA256
efa1a6b12d73d2ba7d1b6e0b77985e59e5022fcbc65cd2e1f98ac74ab839b8fe

SHA512
6e0e5841138903a2d3cd85c2bfe3403f00ee5ad930718f561fd14f64ca4eb1b399ca36e511b81fc2f4708078d25f46135cf79d8fab40ad6a7cb50aad4d47e3e8

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
448KB

MD5
c2cb5f5f2e599afc6d215daa1dd29062

SHA1
618f22a4e69fa712ff76b7dcbe66e3464e0e6055

SHA256
803a994789a0be566bbd81dfc75c21031d946139cb2b35afa4e777bccc8538ca

SHA512
da404c07d574c9064522e2276bc852100824b40b990de93126a527689b0bc81dfe8ad007bb442017bda9cc106ec674ec7f14752080be4d6815b0ea396233a911

Download Submit
C:\Windows\SysWOW64\Ghmbno32.exe

Filesize
448KB

MD5
9b0eb911f35d6b6f25094754d73c47dd

SHA1
464803ba89ad4a1dac133b322c45f3dabed848c2

SHA256
680a1b2f4653522d55775be171a4f74498a2e6a7dfa98d479e05a43c551cf966

SHA512
69cf4bc5e3c8634519aa1d30fbe67e4e240c27a706597c86d4b5a2f94359ab6e0c43f8c99fbd60dec2e8126da16c36ccf03d495af49208a3d806f827ad5e572f

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
448KB

MD5
eb46451dc00bc28fc8cf7134908a7511

SHA1
28703300557cb306903741d48c0324412ed509b3

SHA256
53f050e0596fe9dea6464ebc8a33646d46a610a9b34c655f031fe83af56c4831

SHA512
7d9898966065924524e026f85fd2ac38d23f257693fc69a469a4dd6c4eb423ddbfc4fb92e9a19017fb89168253e499bcccffa7e497a94fd05e22e3af45d08cae

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
448KB

MD5
b93db8d47fb7caa57dc78ed93eeba28c

SHA1
5cc6218265953aec0598a9e7e280def5443dd020

SHA256
7f7159ba9652e0f82ef50d92efc522f41d22a53ad35f2f8aec5f0402a05b6d93

SHA512
6178be3d98254de97dd4f0b29f5d9ec254589aa3bd816504ad56f1d46106d33b908469133193cd07a1d61a1c2a9ac4bd57718ce8569208b8348692378cb58646

Download Submit
C:\Windows\SysWOW64\Idfaefkd.exe

Filesize
448KB

MD5
60eb906b76766e2e7a088e0343195107

SHA1
42a9c3a6b763325519af5a2750cb10ce1b86116f

SHA256
bcb960e5076eb69c3a9779be9cd2fe0cd00ec4397f413de9f3edd0534a4c5643

SHA512
8780a58b0928989d3b113ed9be45e8967908eba0d9dae460052a97882e5b30a167358fa556bcfe0c0116f79c40ce51946901d3648db93b93db34ec84b9ab6c08

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
448KB

MD5
8d2adf13235f492f297dd0cd2c7a73b0

SHA1
d023825ebac0f4c2278b1d84705af638dafb1dd1

SHA256
ba5c6c50375fb5edb3325cbc6a048ebe05735ac35302d30f8ab4b75bac66416d

SHA512
17fc908ce6fef1bbef10cf43e6e4df816aa07b02968f8f01439ace25fc59c94827d01d44050adee2b1b7f02b047be44bb39022e3f0fccb6dfea4adcaf6ea8461

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
448KB

MD5
c482b0aa46ca5628ab1e5abbd9dfa951

SHA1
d3da23d5d6dee51ce89c6d0617fd66f596b6552a

SHA256
5bfb8bbf4d6b23d9a776f4fbb77c3f8142772b774db991f9eb45b27d0d18793f

SHA512
9998031ede66c33c3dd5023be3e468bbd395626a08a061547f6a94446c2710b6cb5455b9486b1884c033f52c2f37175c35989e74e06bb8edbf136f81e6097567

Download Submit
C:\Windows\SysWOW64\Iphioh32.exe

Filesize
448KB

MD5
ed77113c70329375ba18ba1db43565e1

SHA1
2e57055c3ebf1e85f35489a2b865d7ac3cd6107c

SHA256
d6d19f6ed6aa59d9f2a53848430f5ba37c498d447651a9a23c2cb4c5af539295

SHA512
9729959fffe8759c84bacf57a52ae606bce7bbabb8822ef4834445ecda0e28400e99b6e215517cf5235308a6704f88a02e25a1f0ae1bb5d1b831412158a5d425

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
448KB

MD5
d746733f67aa176770af10bcc100ed2f

SHA1
bfb8bcbe36d74f48176b70ae1c2412ec1af8ef16

SHA256
7dfa9297ba933068e850a972062f1f0363639c470aa565d1304cc2ce98a0503a

SHA512
8110e1b2376321066c525201fb4e9ce3b89b1687f75770222cd4f6b5997dbe6812931cb06fb4f41704efbcf68adfa375c27b319199b9b307f9f0119e8138dbcd

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
448KB

MD5
dd90a0628c774de14d8fd94b2b2f2f8b

SHA1
4d548e964a38ec0f57de1c85300bcb0dcb0e6ea2

SHA256
588c7fbb96617df35f48b249111f0944e6041f9d59d7d91a9a2743152a6811b2

SHA512
e382bcf0da755ec9322f1c2644465f0ba368c7f1dd1872d6c4ccb1104850591becdbc598a70c889baa0ac54165a7f9d124e1708c8b01d8219f4ac417f70a31e5

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
448KB

MD5
334aa515ac1ae24628879d9106360323

SHA1
60ba8f2161dc02393674bb520f199f5e1d5808ea

SHA256
a9fbb616d11d5273161a21e2dcbf9bb34d07f697535afdcc0ce85ac2dbc4a9c4

SHA512
544985f95a1510a8dac17f03f38c9cab36804ab6d3e77813e9e3fdee53ace91f0bbcb45453f44b0562c5199aece05b989f7a0e803ce5e4bf3b482d96f974e485

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
448KB

MD5
6ed9625c057c76d0d225e6fe346dbc96

SHA1
5456439d1199d46b00f504321bae1b25e6f898eb

SHA256
af81a0a43145d9261fc297a257eb64203d0b7ac42bcf809e3fc2e0480588a2be

SHA512
d377307abb94fb15ecfd569b723535a86b9bf714cc1b6dc655b7e5e636a417f5ecd5d87354c11272f7131ce9f984714df4e92d27af07be1d9833ad248347fced

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
448KB

MD5
66e4e49790ef93471d1563fa5a47d3be

SHA1
ef498c197ffb762b6c46b66e2c8284148d210119

SHA256
797c52cf002c00ce83ee42f4d19c7e6afb917ed19f68071640027643993757b7

SHA512
9f0845399aaf430bda31a74e1fdb7d755986e51196844c9bf71f47a4a3ff0c340d143d0275692d6ce1dae2098de0c407dfbd91f579a824220ab08ccf34b1493a

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
448KB

MD5
86aaeaf57a4ec08f762c3b7b1e11a456

SHA1
a4c393c043c8c51a512f37a83245a298bf7aaa33

SHA256
234f2fee3e1dba798486b0c62e83b717ffb4b5d48630996607e9c656e267518a

SHA512
aba149ec88ab849186c67bcf5f2431ac413992e58d3534e86e0148eb12ba50a3615b6b75b8abe46f0a02380af8246d34e84a68a2a11ac46757d26145e237d883

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
448KB

MD5
10b36faca3b9a24511eb410cf872a59e

SHA1
e72d6a347ccc323c6ff5a34da802b4c7565e2fd2

SHA256
42999dd4547473a9b03354eb541b1a72b25545fd321c38808b8272dd25a98e0e

SHA512
d72fe1a585e364d75f101e151f8cb613dcc88775931f20aa65dd15424e21f017e9eceeff36eab0bf6bae120dfecdb40041e300d984ebf38a52d772b22713ecd4

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
448KB

MD5
95dea8723b7a719c9530091b35f708bc

SHA1
b079c41c17776dae2226bb412ceaa5da81a90d83

SHA256
aa8047f216a558b48b11e62ecce180935f54ada49015c788c7f7e8563e999a53

SHA512
22bbaa852d05e512abfb977c0ede85885e101d9366372536f1995d82ac15dad0aca686c79ca79168b3f77e37e496e53ec7c004edbd3b27615eecc7ef331f9af2

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
448KB

MD5
ff778fbd4faa1d433139f412f701ee27

SHA1
1a671ada8c189005ed383ba43b61f1819e525021

SHA256
48e2dbf9b0d132e76fd000617812c86d44dfe431c6bb46fef13bc0af2518d909

SHA512
b8190ba36df36f80a56da2094d1578a4b9344dff66a62ef6253830aa21d64c35d79b7b89aa0fc82f061871c506c4f361c4960882ca931461beb25bcc295bea3b

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
448KB

MD5
8eed99f1df3162ced9ee1be274bc82ca

SHA1
64357c82b9d08be66a3804674c8f6fd32065b285

SHA256
924737e905653902f6a39cd1a1b5b78dd515ef8223ee2dbe163d8ded256c0d31

SHA512
e434b4cee78eeaf8ef239b484d040637514f899b7ea0a3420a70a4bf78efe680325cc12666172ba9671202b80435134e01901c1fa8e98f022a52c52d6c0738d8

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
448KB

MD5
750294fbb79db9e9a6f8678148653712

SHA1
a4bb127774e0d6c96198f6335b74f36f643d69a3

SHA256
1a9156932e853d245cbb3092de7f3218afb8b8f9c97b262407758106869cb400

SHA512
350aad4a6012ad17d422a0430132dd0fca816f9da2fc18c4f80378dd963c5f1987b6e659a7621b3c9531d4ae073cf4cbf6d2e88202306da8d7ac36f2c10f8f5b

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
98KB

MD5
59f47714b8d6c5fccc89aafbb2d67899

SHA1
f5e7cae8e1e6fe567aef34a81c614192e204fcf4

SHA256
5e1a0ee10fa75e6056791f94981a5b9ccc739a0b8a621b610e0b262685b73c0a

SHA512
475356640b6b9218a2eadb30ce572c8ede30bb52d57e993d5641203a861f808300531becd2d816c53bcebc524e73250bbd228087a0af0d4ca5f2a386118d705a

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
448KB

MD5
feccce5fc6e037eea80e36bc098ca985

SHA1
48833c6389707150ecacb26390c7bdd8f8421c3c

SHA256
a9bae0ca045c8d00839d73b63fecf0300a4fc9f84bffb2139c6681dc88bc3b18

SHA512
8e2da9f0f0e97582633f98b15133460a56195b606102e115686f0cd5b8119c9153959da5811ed543c99deaa7f083f48b7b862333ecfd2500ba1e53d7b598cef6

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
448KB

MD5
c86895b485d46365956a458d6fcc11e6

SHA1
516d259b8004c6ff4a921c357a2c3a2a62cd787b

SHA256
e6441a6593c1e97bf1dfc20146bb5f89e850096d22b2de010e78c1425f43b691

SHA512
12c0aeadd1daa3be8ba384c47535f74f57b32dc2ce42a75a5a7cd2ebdb6e6a9b93a3b5dca06ceb89f87dc42012ae4d47bad76c61eada407640179e5d6af7d9d4

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
320KB

MD5
c57e7ac3efea5bf642e2dfa9be5ef598

SHA1
a86ae54ace6cccb9d5b918c7a011e2e180d4ead8

SHA256
5236459cd154d27570cf984c0017986b13ffa8b06d90b78fbe68186e5d6a44be

SHA512
86789932fb6791029710fc7f4b36c759f3f92af4414721de82cc88233842e5a6f1fc3c707e70d253af2969ae4460ff8f575cc3537eaca0d73623de69c2e2d4c8

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
448KB

MD5
19be90358e524c07f4f844f9bdcb9cfe

SHA1
3e86819b55d52fed5eb161717103224123877c6e

SHA256
dddb527be295b9c2eb42c8ab6d361e0b1ae0a8dc573a8e488bf94dfa6d0d333d

SHA512
6454584d8e326f89bc36a8090b62f57b8d14f9f60be52eebfe5bf80e9e69d766d97b51194eea1fec884836e3f3f07f795ef798cf25e62448d4dee5c16c301e1f

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
448KB

MD5
26e8b969f26a4169dd706a2cf1e18ac5

SHA1
764d2ac11be48b41a15bfda6bad9459b6f44febd

SHA256
2171c9f8c25bc424f67cd4d4fb39ed0b9f18e45184f5a2e3ddd66fe90e20b4b8

SHA512
a89697094befbcc8eb9f1ed29410abf68f47867751bd782cc6bc7478b91c40b0a9638a6bb488295dee1c76c1826bfb279ccc6da0da9b606ec1ff998befe20ce2

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
448KB

MD5
ec25b7819175833852659040f63f08bf

SHA1
14c050da2e8641c72ff8480215ccff8b602b79c1

SHA256
8cbdd818e3bc92beeef1cce13df6d6308bcb4c70042bcf8c891d7cd7e9a01a8a

SHA512
e36258fc1922fe632b0e53fed4e03a8fd8eb2870299eb4a77a3450bc302eb2595b1231c6f7e81b8349933e9410b23ae2b9ea6c77e6fb59507f30153c7e77ec8c

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
448KB

MD5
b8e32329d1ee1b854dc65a4f2faa273e

SHA1
4fc44465007211cd6a37d29bf2f4751a6ea34697

SHA256
7212d93be55ee87d68d0ea8d693dfec181473bf627d52532e7663b68ad85da03

SHA512
8c98400d310d8302e0e9240dd3a34955db4d86e3c7fd2f7fd6ae3743b213c33ca3c138c8e64dfe21d362f2f89e38f308910fd5b66e73a53c39de776b878046f0

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
448KB

MD5
3bea28f0006b10dd331b511a04cffb50

SHA1
4df66c862f44e1f3b81341a87c824c1bf3cbbcd7

SHA256
3a6991984423f85fd423dd0e50b99ce6384914821f660cf6334b313dc6533fe8

SHA512
3642de8a20f23e1d63b80b4a0e3ba131a910d2d52c7a22d3ff15a93c237866d93ee34c43fd93240c4b7bc770a90fd4aefd82ae5d3e053253d15b63dfe349c661

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
448KB

MD5
be760426830c33b728396eb8b61246cd

SHA1
18eecc280cfbf2b6305f3482f91df8f87039135e

SHA256
045a958bd4152cfa493db2b1a50e1d7161d59115155f93c4c1079538963f5b1a

SHA512
3de3ada91bc4c6b4190ca373333c6931af24c0a82cdfd54dc62b2f904a857a3fcfc7713ba798c8b70b3f1ad71aaa1ab070a5cfccc43118268ca8d01d2bb2a8a1

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
448KB

MD5
0f1093f49ae99cce25ca7b0152696d60

SHA1
0b96858ac520a4b7c1300101755b947fca5c952e

SHA256
544fd005121e898b0262e2f4bf78dc5692636bad67c5574f965bb73a31fcc38c

SHA512
7bedc2ff74585b27ee489f6f9a6de6d7de30970888a03af27246f1f4fe47e4764d776142ad09cd685f2ada80d302616b9265b99e1c7417ffde188d44ab893b02

Download Submit
C:\Windows\SysWOW64\Ooqqdi32.exe

Filesize
448KB

MD5
43f981b9d06c13bf6e484cf41bf4b441

SHA1
c85abd01df17f112941e8ae467dbda58c3e99cae

SHA256
155436096f2fae553e7c2da4de1c5fece49b93a753eb1fd040b1e02e06fb5969

SHA512
74fcadda7fa5b71634f9fbb17937bb3436c269d940fbd3c1c46c66a98b1925bf39b64efd17154c9f06b47d54ccd5defde205a1c911e47e12b2097b05c7cb31d1

Download Submit
C:\Windows\SysWOW64\Pgflqkdd.exe

Filesize
448KB

MD5
adde627e619d6b200252b3ccc79a90ce

SHA1
557300175bb608f2785c77dac31f911967c0dcbe

SHA256
7c0b712548e7ea9772da693c67684f711506df3712bf2c592cd8a450bfeda49c

SHA512
a4eec92fd9830c46437c7a333f94e11a18d1482421c3e1095b270815a5208679de13adf43eb1692aa3b5c36b7b414cfdbc65dd2bc46f45d6d576b416514d0ee2

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
258KB

MD5
fbc7fb5b7e22216af0ce3c87b9288ba9

SHA1
3c08de6a217b63055346ccfc2a350eb8c76b37d3

SHA256
30e4effac5f1fe52062c3d975bbcb9529cd8468396f68b0324088049d2e841a6

SHA512
8bd71ab6c35ee0e6acfb4fb08c5e23953adff333099d98ebb6dd8090b5516302ea1b25f59747d651f823d43c1c3303d87bbc202713705fd2ab300b39cfe567bb

Download Submit
C:\Windows\SysWOW64\Poaqemao.exe

Filesize
448KB

MD5
7b8c3a6607a5912ebb7c164b95151f41

SHA1
3e7a9aac30fcc083a2ac48023152a8280adf5fb2

SHA256
8048663351770515d18d7b78e09a7fbfa2ddd5b62b531a63c2b379c7e4ecdff7

SHA512
52c2f024cdcafaa96162d8b23e88bda8da7ae506a0fd5c565144c45511bd4d37c04a58ea7109889b0265a4727e4420e1870b55db0735c02e4cfbb11a029a2d9f

Download Submit
memory/208-695-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-696-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-697-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-713-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-709-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-704-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-693-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-711-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-664-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads