3409c5c926009433efb6599595e6096f5fc6a01a6a5fb5c86284ead9c0c1d7fb

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.exe
Size

790KB
MD5

879b2d7c2ad20040310242a89c71ad13
SHA1

586ddb8058309c159b23e31911a2f8ef93c6d94a
SHA256

3409c5c926009433efb6599595e6096f5fc6a01a6a5fb5c86284ead9c0c1d7fb
SHA512

5c62ea350d99d9690a8a5f3e92f0c27f917d168d149d8b78faebd9c97a557cc8d7240d64eb168bf51838fe701a6119c8bf0ac6b0616506e8638650fb3c7937d8
SSDEEP

12288:EcFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:JPLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehapfiem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdfmlhna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcblpdgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcmakpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idhnkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkckeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaekqhh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Figgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Joahqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poomegpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oampjeml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoepebho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eolhbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eobocb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohnohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filapfbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeddnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilphdlqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ednaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eehnem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejfeng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnhdkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngjch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inlihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbngllob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igdnabjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbchj32.exe

Executes dropped EXE 64 IoCs

pid	Process
100	Camphf32.exe
916	Doqpak32.exe
4316	Dhidjpqc.exe
4972	Ddpeoafg.exe
2188	Dbaemi32.exe
3780	Dhnnep32.exe
3980	Dccbbhld.exe
2940	Dllfkn32.exe
3080	Dahode32.exe
1620	Dlncan32.exe
2944	Echknh32.exe
2292	Elppfmoo.exe
1820	Ecjhcg32.exe
4864	Eeidoc32.exe
2824	Elbmlmml.exe
3160	Ecmeig32.exe
2892	Ednaqo32.exe
4320	Ecoangbg.exe
1548	Ehljfnpn.exe
2324	Eofbch32.exe
1988	Eepjpb32.exe
4080	Ehnglm32.exe
3048	Fhcpgmjf.exe
3888	Fomhdg32.exe
4444	Fakdpb32.exe
4584	Fkciihgg.exe
3564	Fckajehi.exe
2876	Fdlnbm32.exe
636	Fkffog32.exe
3644	Fbpnkama.exe
2860	Fdnjgmle.exe
4440	Gododflk.exe
3000	Gfngap32.exe
2888	Glhonj32.exe
1416	Gbdgfa32.exe
232	Ghopckpi.exe
4416	Gohhpe32.exe
1856	Gbgdlq32.exe
4700	Ghaliknf.exe
1204	Gokdeeec.exe
4788	Gfembo32.exe
984	Gmoeoidl.exe
2112	Gblngpbd.exe
1432	Hiefcj32.exe
4848	Hopnqdan.exe
3648	Helfik32.exe
3004	Hkfoeega.exe
5064	Hflcbngh.exe
1272	Hijooifk.exe
3936	Hcpclbfa.exe
1544	Himldi32.exe
4508	Hkkhqd32.exe
3580	Hcbpab32.exe
4940	Hecmijim.exe
1128	Hmjdjgjo.exe
4948	Hcdmga32.exe
2648	Hfcicmqp.exe
4020	Ikpaldog.exe
532	Ibjjhn32.exe
4708	Iehfdi32.exe
3632	Ikbnacmd.exe
8	Iblfnn32.exe
1312	Iejcji32.exe
4904	Ildkgc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Iemppiab.exe
File opened for modification	C:\Windows\SysWOW64\Oohgdhfn.exe	Ohnohn32.exe
File created	C:\Windows\SysWOW64\Hmjfkopm.dll	Fdlnbm32.exe
File opened for modification	C:\Windows\SysWOW64\Eolhbc32.exe	Ehapfiem.exe
File opened for modification	C:\Windows\SysWOW64\Ighhln32.exe	Idjlpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aeddnp32.exe	Aojlaeei.exe
File opened for modification	C:\Windows\SysWOW64\Glkmmefl.exe	Gikdkj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Mapppn32.exe
File created	C:\Windows\SysWOW64\Kgdphnlp.dll	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Bjfjgifo.dll	Lbkkgl32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Helfik32.exe	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Pibdmp32.exe	Pkadoiip.exe
File created	C:\Windows\SysWOW64\Iikikigb.dll	Cbdjeg32.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdai32.exe	Jimldogg.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Poomegpf.exe	Pibdmp32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lllagh32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Lejgch32.exe	Lbkkgl32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Geoapenf.exe
File created	C:\Windows\SysWOW64\Khlklj32.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Dlhcmpgk.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Foniaq32.dll	Lepleocn.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ejfeng32.exe	Eppqqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Eghkjdoa.exe	Edionhpn.exe
File created	C:\Windows\SysWOW64\Eojpkdah.dll	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Mnfgko32.dll	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hbgkei32.exe	Hlmchoan.exe
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lafmjp32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jfhlejnh.exe	Jpnchp32.exe
File created	C:\Windows\SysWOW64\Edpgli32.exe	Eobocb32.exe
File created	C:\Windows\SysWOW64\Njghbl32.exe	Mjneln32.exe
File created	C:\Windows\SysWOW64\Gbobfjdp.dll	Pkadoiip.exe
File created	C:\Windows\SysWOW64\Bklfgo32.exe	Bhnikc32.exe
File opened for modification	C:\Windows\SysWOW64\Eehnem32.exe	Eonehbjg.exe
File opened for modification	C:\Windows\SysWOW64\Inpccihl.exe	Iickkbje.exe
File created	C:\Windows\SysWOW64\Fpbmfn32.exe	Ejfeng32.exe
File created	C:\Windows\SysWOW64\Cleegp32.exe	Cbpajgmf.exe
File opened for modification	C:\Windows\SysWOW64\Ljqhkckn.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Hnnljj32.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Gmiclo32.exe	Gkhkjd32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ggnlobej.exe	Gnfhfl32.exe
File created	C:\Windows\SysWOW64\Dmennnni.exe	Dflfac32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Fnfmbmbi.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Lomqcjie.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qdoacabq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9604	9480	WerFault.exe	704

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecmeig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnoknihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmiclo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akglloai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pibdmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjbohhg.dll"	Edhakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gglpibgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpfopn.dll"	Fffhifdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inqbclob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlbqboa.dll"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bklfgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhbcf32.dll"	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohnohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll"	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll"	Coohhlpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnmepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Emhldnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpich32.dll"	Fdbdah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhgloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcafnn32.dll"	Hnddgjbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfildi32.dll"	Ighhln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmpqfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaioi32.dll"	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll"	Jjoiil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jblmgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dccbbhld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 100	3600	Backdoor.Win32.Padodor.exe	87
PID 3600 wrote to memory of 100	3600	Backdoor.Win32.Padodor.exe	87
PID 3600 wrote to memory of 100	3600	Backdoor.Win32.Padodor.exe	87
PID 100 wrote to memory of 916	100	Camphf32.exe	88
PID 100 wrote to memory of 916	100	Camphf32.exe	88
PID 100 wrote to memory of 916	100	Camphf32.exe	88
PID 916 wrote to memory of 4316	916	Doqpak32.exe	89
PID 916 wrote to memory of 4316	916	Doqpak32.exe	89
PID 916 wrote to memory of 4316	916	Doqpak32.exe	89
PID 4316 wrote to memory of 4972	4316	Dhidjpqc.exe	90
PID 4316 wrote to memory of 4972	4316	Dhidjpqc.exe	90
PID 4316 wrote to memory of 4972	4316	Dhidjpqc.exe	90
PID 4972 wrote to memory of 2188	4972	Ddpeoafg.exe	91
PID 4972 wrote to memory of 2188	4972	Ddpeoafg.exe	91
PID 4972 wrote to memory of 2188	4972	Ddpeoafg.exe	91
PID 2188 wrote to memory of 3780	2188	Dbaemi32.exe	175
PID 2188 wrote to memory of 3780	2188	Dbaemi32.exe	175
PID 2188 wrote to memory of 3780	2188	Dbaemi32.exe	175
PID 3780 wrote to memory of 3980	3780	Dhnnep32.exe	174
PID 3780 wrote to memory of 3980	3780	Dhnnep32.exe	174
PID 3780 wrote to memory of 3980	3780	Dhnnep32.exe	174
PID 3980 wrote to memory of 2940	3980	Dccbbhld.exe	92
PID 3980 wrote to memory of 2940	3980	Dccbbhld.exe	92
PID 3980 wrote to memory of 2940	3980	Dccbbhld.exe	92
PID 2940 wrote to memory of 3080	2940	Dllfkn32.exe	172
PID 2940 wrote to memory of 3080	2940	Dllfkn32.exe	172
PID 2940 wrote to memory of 3080	2940	Dllfkn32.exe	172
PID 3080 wrote to memory of 1620	3080	Dahode32.exe	93
PID 3080 wrote to memory of 1620	3080	Dahode32.exe	93
PID 3080 wrote to memory of 1620	3080	Dahode32.exe	93
PID 1620 wrote to memory of 2944	1620	Dlncan32.exe	171
PID 1620 wrote to memory of 2944	1620	Dlncan32.exe	171
PID 1620 wrote to memory of 2944	1620	Dlncan32.exe	171
PID 2944 wrote to memory of 2292	2944	Echknh32.exe	170
PID 2944 wrote to memory of 2292	2944	Echknh32.exe	170
PID 2944 wrote to memory of 2292	2944	Echknh32.exe	170
PID 2292 wrote to memory of 1820	2292	Elppfmoo.exe	169
PID 2292 wrote to memory of 1820	2292	Elppfmoo.exe	169
PID 2292 wrote to memory of 1820	2292	Elppfmoo.exe	169
PID 1820 wrote to memory of 4864	1820	Ecjhcg32.exe	168
PID 1820 wrote to memory of 4864	1820	Ecjhcg32.exe	168
PID 1820 wrote to memory of 4864	1820	Ecjhcg32.exe	168
PID 4864 wrote to memory of 2824	4864	Eeidoc32.exe	167
PID 4864 wrote to memory of 2824	4864	Eeidoc32.exe	167
PID 4864 wrote to memory of 2824	4864	Eeidoc32.exe	167
PID 2824 wrote to memory of 3160	2824	Elbmlmml.exe	166
PID 2824 wrote to memory of 3160	2824	Elbmlmml.exe	166
PID 2824 wrote to memory of 3160	2824	Elbmlmml.exe	166
PID 3160 wrote to memory of 2892	3160	Ecmeig32.exe	94
PID 3160 wrote to memory of 2892	3160	Ecmeig32.exe	94
PID 3160 wrote to memory of 2892	3160	Ecmeig32.exe	94
PID 2892 wrote to memory of 4320	2892	Ednaqo32.exe	95
PID 2892 wrote to memory of 4320	2892	Ednaqo32.exe	95
PID 2892 wrote to memory of 4320	2892	Ednaqo32.exe	95
PID 4320 wrote to memory of 1548	4320	Ecoangbg.exe	96
PID 4320 wrote to memory of 1548	4320	Ecoangbg.exe	96
PID 4320 wrote to memory of 1548	4320	Ecoangbg.exe	96
PID 1548 wrote to memory of 2324	1548	Ehljfnpn.exe	165
PID 1548 wrote to memory of 2324	1548	Ehljfnpn.exe	165
PID 1548 wrote to memory of 2324	1548	Ehljfnpn.exe	165
PID 2324 wrote to memory of 1988	2324	Eofbch32.exe	164
PID 2324 wrote to memory of 1988	2324	Eofbch32.exe	164
PID 2324 wrote to memory of 1988	2324	Eofbch32.exe	164
PID 1988 wrote to memory of 4080	1988	Eepjpb32.exe	97

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\Camphf32.exe
  C:\Windows\system32\Camphf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\SysWOW64\Doqpak32.exe
    C:\Windows\system32\Doqpak32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Dhidjpqc.exe
      C:\Windows\system32\Dhidjpqc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780

C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\Dahode32.exe
  C:\Windows\system32\Dahode32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3080

C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Echknh32.exe
  C:\Windows\system32\Echknh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944

C:\Windows\SysWOW64\Ednaqo32.exe
C:\Windows\system32\Ednaqo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Ecoangbg.exe
  C:\Windows\system32\Ecoangbg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\Ehljfnpn.exe
    C:\Windows\system32\Ehljfnpn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\Eofbch32.exe
      C:\Windows\system32\Eofbch32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2324

C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
1⤵
- Executes dropped EXE
PID:4080
- C:\Windows\SysWOW64\Fhcpgmjf.exe
  C:\Windows\system32\Fhcpgmjf.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3048

C:\Windows\SysWOW64\Fakdpb32.exe
C:\Windows\system32\Fakdpb32.exe
1⤵
- Executes dropped EXE
PID:4444
- C:\Windows\SysWOW64\Fkciihgg.exe
  C:\Windows\system32\Fkciihgg.exe
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\SysWOW64\Fdlnbm32.exe
C:\Windows\system32\Fdlnbm32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876
- C:\Windows\SysWOW64\Fkffog32.exe
  C:\Windows\system32\Fkffog32.exe
  2⤵
  - Executes dropped EXE
  PID:636

C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
1⤵
- Executes dropped EXE
PID:2860
- C:\Windows\SysWOW64\Gododflk.exe
  C:\Windows\system32\Gododflk.exe
  2⤵
  - Executes dropped EXE
  PID:4440

C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
1⤵
- Executes dropped EXE
PID:1856
- C:\Windows\SysWOW64\Ghaliknf.exe
  C:\Windows\system32\Ghaliknf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4700

C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
1⤵
- Executes dropped EXE
PID:4788
- C:\Windows\SysWOW64\Gmoeoidl.exe
  C:\Windows\system32\Gmoeoidl.exe
  2⤵
  - Executes dropped EXE
  PID:984

C:\Windows\SysWOW64\Hopnqdan.exe
C:\Windows\system32\Hopnqdan.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4848
- C:\Windows\SysWOW64\Helfik32.exe
  C:\Windows\system32\Helfik32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3648

C:\Windows\SysWOW64\Hijooifk.exe
C:\Windows\system32\Hijooifk.exe
1⤵
- Executes dropped EXE
PID:1272
- C:\Windows\SysWOW64\Hcpclbfa.exe
  C:\Windows\system32\Hcpclbfa.exe
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
1⤵
- Executes dropped EXE
PID:3580
- C:\Windows\SysWOW64\Hecmijim.exe
  C:\Windows\system32\Hecmijim.exe
  2⤵
  - Executes dropped EXE
  PID:4940

C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020
- C:\Windows\SysWOW64\Ibjjhn32.exe
  C:\Windows\system32\Ibjjhn32.exe
  2⤵
  - Executes dropped EXE
  PID:532

C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
1⤵
- Executes dropped EXE
PID:8
- C:\Windows\SysWOW64\Iejcji32.exe
  C:\Windows\system32\Iejcji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:1312

C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
1⤵
- Drops file in System32 directory
PID:1940
- C:\Windows\SysWOW64\Ilghlc32.exe
  C:\Windows\system32\Ilghlc32.exe
  2⤵
  PID:4808

C:\Windows\SysWOW64\Imfdff32.exe
C:\Windows\system32\Imfdff32.exe
1⤵
PID:3636
- C:\Windows\SysWOW64\Ipdqba32.exe
  C:\Windows\system32\Ipdqba32.exe
  2⤵
  PID:3704

C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
1⤵
PID:5192
- C:\Windows\SysWOW64\Jfaedkdp.exe
  C:\Windows\system32\Jfaedkdp.exe
  2⤵
  PID:5232

C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
1⤵
PID:5336
- C:\Windows\SysWOW64\Jianff32.exe
  C:\Windows\system32\Jianff32.exe
  2⤵
  PID:5372

C:\Windows\SysWOW64\Jbjcolha.exe
C:\Windows\system32\Jbjcolha.exe
1⤵
PID:5444
- C:\Windows\SysWOW64\Jidklf32.exe
  C:\Windows\system32\Jidklf32.exe
  2⤵
  PID:5480

C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
1⤵
- Drops file in System32 directory
PID:5516
- C:\Windows\SysWOW64\Jfhlejnh.exe
  C:\Windows\system32\Jfhlejnh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5556

C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
1⤵
PID:5628
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  PID:5664
- - C:\Windows\SysWOW64\Klgqcqkl.exe
    C:\Windows\system32\Klgqcqkl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:5732
  - - C:\Windows\SysWOW64\Kfmepi32.exe
      C:\Windows\system32\Kfmepi32.exe
      4⤵
      PID:5816
    - - C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        5⤵
        
        PID:5852
      - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        6⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        7⤵
        
        PID:5944

C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
1⤵
PID:5588

C:\Windows\SysWOW64\Jplfcpin.exe
C:\Windows\system32\Jplfcpin.exe
1⤵
PID:5408

C:\Windows\SysWOW64\Jpijnqkp.exe
C:\Windows\system32\Jpijnqkp.exe
1⤵
PID:5300

C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
1⤵
PID:5264

C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
1⤵
- Modifies registry class
PID:5156

C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
1⤵
PID:848

C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
1⤵
PID:2044

C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
1⤵
PID:3864

C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\Ikbnacmd.exe
C:\Windows\system32\Ikbnacmd.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3632

C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\SysWOW64\Hcdmga32.exe
C:\Windows\system32\Hcdmga32.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWOW64\Hmjdjgjo.exe
C:\Windows\system32\Hmjdjgjo.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWOW64\Hkkhqd32.exe
C:\Windows\system32\Hkkhqd32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508

C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\Hflcbngh.exe
C:\Windows\system32\Hflcbngh.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\Gokdeeec.exe
C:\Windows\system32\Gokdeeec.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\Ghopckpi.exe
C:\Windows\system32\Ghopckpi.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\SysWOW64\Glhonj32.exe
C:\Windows\system32\Glhonj32.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\Gfngap32.exe
C:\Windows\system32\Gfngap32.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWOW64\Fbpnkama.exe
C:\Windows\system32\Fbpnkama.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3644

C:\Windows\SysWOW64\Fckajehi.exe
C:\Windows\system32\Fckajehi.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\SysWOW64\Fomhdg32.exe
C:\Windows\system32\Fomhdg32.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\Eepjpb32.exe
C:\Windows\system32\Eepjpb32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\Elbmlmml.exe
C:\Windows\system32\Elbmlmml.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Eeidoc32.exe
C:\Windows\system32\Eeidoc32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\Ecjhcg32.exe
C:\Windows\system32\Ecjhcg32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
1⤵
PID:5992
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  - Modifies registry class
  PID:6056
- - C:\Windows\SysWOW64\Lenamdem.exe
    C:\Windows\system32\Lenamdem.exe
    3⤵
    PID:6112
  - - C:\Windows\SysWOW64\Lmgfda32.exe
      C:\Windows\system32\Lmgfda32.exe
      4⤵
      PID:1028
    - - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        5⤵
        
        PID:2632
      - C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1668
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        7⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        8⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        9⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        12⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        13⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3712
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        15⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        16⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        17⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        18⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        19⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        20⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        21⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        22⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        23⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        24⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        25⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        26⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        27⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        28⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        29⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        30⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        31⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        32⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        33⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        34⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        35⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        37⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        38⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        39⤵
        
        PID:32
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        40⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        41⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        42⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        43⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        44⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        45⤵
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        46⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        47⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        48⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        50⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        51⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        52⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        54⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        55⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        56⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        57⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        59⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        60⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        61⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        62⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        63⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        66⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        67⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        68⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        69⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        70⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        71⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        72⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        73⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        74⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        76⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        77⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        78⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        79⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        81⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        82⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        83⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        84⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        87⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        88⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        89⤵
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        90⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        93⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Eecdjmfi.exe
        
        C:\Windows\system32\Eecdjmfi.exe
        94⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Ehapfiem.exe
        
        C:\Windows\system32\Ehapfiem.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Eolhbc32.exe
        
        C:\Windows\system32\Eolhbc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Eajeon32.exe
        
        C:\Windows\system32\Eajeon32.exe
        97⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Edhakj32.exe
        
        C:\Windows\system32\Edhakj32.exe
        98⤵
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Eggmge32.exe
        
        C:\Windows\system32\Eggmge32.exe
        99⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Eonehbjg.exe
        
        C:\Windows\system32\Eonehbjg.exe
        100⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Eehnem32.exe
        
        C:\Windows\system32\Eehnem32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Ehfjah32.exe
        
        C:\Windows\system32\Ehfjah32.exe
        102⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Eopbnbhd.exe
        
        C:\Windows\system32\Eopbnbhd.exe
        103⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Eaonjngh.exe
        
        C:\Windows\system32\Eaonjngh.exe
        104⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Edmjfifl.exe
        
        C:\Windows\system32\Edmjfifl.exe
        105⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Eobocb32.exe
        
        C:\Windows\system32\Eobocb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Edpgli32.exe
        
        C:\Windows\system32\Edpgli32.exe
        107⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Egnchd32.exe
        
        C:\Windows\system32\Egnchd32.exe
        108⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Emhldnkj.exe
        
        C:\Windows\system32\Emhldnkj.exe
        109⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Fdbdah32.exe
        
        C:\Windows\system32\Fdbdah32.exe
        110⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Fkllnbjc.exe
        
        C:\Windows\system32\Fkllnbjc.exe
        111⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Fnjhjn32.exe
        
        C:\Windows\system32\Fnjhjn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Fgbmccpg.exe
        
        C:\Windows\system32\Fgbmccpg.exe
        113⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Fnmepn32.exe
        
        C:\Windows\system32\Fnmepn32.exe
        114⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1800
        
        C:\Windows\SysWOW64\Fgeihcme.exe
        
        C:\Windows\system32\Fgeihcme.exe
        116⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Folaiqng.exe
        
        C:\Windows\system32\Folaiqng.exe
        117⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Fajnfl32.exe
        
        C:\Windows\system32\Fajnfl32.exe
        118⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Fdijbg32.exe
        
        C:\Windows\system32\Fdijbg32.exe
        119⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Fkcboack.exe
        
        C:\Windows\system32\Fkcboack.exe
        120⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Fehfljca.exe
        
        C:\Windows\system32\Fehfljca.exe
        121⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Fgjccb32.exe
        
        C:\Windows\system32\Fgjccb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7480
        
        C:\Windows\SysWOW64\Foqkdp32.exe
        
        C:\Windows\system32\Foqkdp32.exe
        123⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Gaogak32.exe
        
        C:\Windows\system32\Gaogak32.exe
        124⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Gdncmghi.exe
        
        C:\Windows\system32\Gdncmghi.exe
        125⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Gglpibgm.exe
        
        C:\Windows\system32\Gglpibgm.exe
        126⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Gnfhfl32.exe
        
        C:\Windows\system32\Gnfhfl32.exe
        127⤵
        Drops file in System32 directory
        
        PID:7712
        
        C:\Windows\SysWOW64\Ggnlobej.exe
        
        C:\Windows\system32\Ggnlobej.exe
        128⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Gnhdkl32.exe
        
        C:\Windows\system32\Gnhdkl32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        130⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Gnmnfkia.exe
        
        C:\Windows\system32\Gnmnfkia.exe
        131⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Gfdfgiid.exe
        
        C:\Windows\system32\Gfdfgiid.exe
        132⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Gkaopp32.exe
        
        C:\Windows\system32\Gkaopp32.exe
        133⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Hdicienl.exe
        
        C:\Windows\system32\Hdicienl.exe
        134⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Hkckeo32.exe
        
        C:\Windows\system32\Hkckeo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Hfipbh32.exe
        
        C:\Windows\system32\Hfipbh32.exe
        136⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Hhgloc32.exe
        
        C:\Windows\system32\Hhgloc32.exe
        137⤵
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Hnddgjbj.exe
        
        C:\Windows\system32\Hnddgjbj.exe
        138⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Hdnldd32.exe
        
        C:\Windows\system32\Hdnldd32.exe
        139⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Hocqam32.exe
        
        C:\Windows\system32\Hocqam32.exe
        140⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Ikokan32.exe
        
        C:\Windows\system32\Ikokan32.exe
        141⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Ifdonfka.exe
        
        C:\Windows\system32\Ifdonfka.exe
        142⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Iickkbje.exe
        
        C:\Windows\system32\Iickkbje.exe
        143⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        144⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Idjlpc32.exe
        
        C:\Windows\system32\Idjlpc32.exe
        145⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\Ighhln32.exe
        
        C:\Windows\system32\Ighhln32.exe
        146⤵
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Ibnligoc.exe
        
        C:\Windows\system32\Ibnligoc.exe
        147⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Ieliebnf.exe
        
        C:\Windows\system32\Ieliebnf.exe
        148⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ioambknl.exe
        
        C:\Windows\system32\Ioambknl.exe
        149⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7960
        
        C:\Windows\SysWOW64\Jilnqqbj.exe
        
        C:\Windows\system32\Jilnqqbj.exe
        151⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Bfhadc32.exe
        
        C:\Windows\system32\Bfhadc32.exe
        152⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Gmcdffmq.exe
        
        C:\Windows\system32\Gmcdffmq.exe
        153⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Iddljmpc.exe
        
        C:\Windows\system32\Iddljmpc.exe
        154⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        155⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Lbkkgl32.exe
        
        C:\Windows\system32\Lbkkgl32.exe
        156⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Lejgch32.exe
        
        C:\Windows\system32\Lejgch32.exe
        157⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        158⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:620
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        160⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Lbpdblmo.exe
        
        C:\Windows\system32\Lbpdblmo.exe
        161⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        162⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        163⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mjneln32.exe
        
        C:\Windows\system32\Mjneln32.exe
        164⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Njghbl32.exe
        
        C:\Windows\system32\Njghbl32.exe
        165⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Nliaao32.exe
        
        C:\Windows\system32\Nliaao32.exe
        166⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        167⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        168⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Nolgijpk.exe
        
        C:\Windows\system32\Nolgijpk.exe
        169⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Niakfbpa.exe
        
        C:\Windows\system32\Niakfbpa.exe
        170⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1324
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        172⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Okgaijaj.exe
        
        C:\Windows\system32\Okgaijaj.exe
        173⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        174⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        175⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Oadfkdgd.exe
        
        C:\Windows\system32\Oadfkdgd.exe
        176⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        178⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        179⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        180⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7320
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        183⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        184⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Phincl32.exe
        
        C:\Windows\system32\Phincl32.exe
        185⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        186⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        187⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        188⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        189⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Qohpkf32.exe
        
        C:\Windows\system32\Qohpkf32.exe
        190⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        191⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        192⤵
        Drops file in System32 directory
        
        PID:8492
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8536
        
        C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        194⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        195⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        196⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8728
        
        C:\Windows\SysWOW64\Dlkbjqgm.exe
        
        C:\Windows\system32\Dlkbjqgm.exe
        198⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        199⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        200⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        201⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        202⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        203⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        204⤵
        Drops file in System32 directory
        
        PID:9064
        
        C:\Windows\SysWOW64\Ejfeng32.exe
        
        C:\Windows\system32\Ejfeng32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9104
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        206⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        207⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        208⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Fbhpch32.exe
        
        C:\Windows\system32\Fbhpch32.exe
        209⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        210⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        211⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        212⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        213⤵
        Modifies registry class
        
        PID:8640
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        214⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Gjdaodja.exe
        
        C:\Windows\system32\Gjdaodja.exe
        215⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        216⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        35⤵
        Drops file in System32 directory
        
        PID:8296
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        36⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        37⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        38⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        39⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        40⤵
        
        PID:8556

C:\Windows\SysWOW64\Gkhkjd32.exe
C:\Windows\system32\Gkhkjd32.exe
1⤵
- Drops file in System32 directory
PID:8852
- C:\Windows\SysWOW64\Gmiclo32.exe
  C:\Windows\system32\Gmiclo32.exe
  2⤵
  - Modifies registry class
  PID:952
- - C:\Windows\SysWOW64\Gdcliikj.exe
    C:\Windows\system32\Gdcliikj.exe
    3⤵
    PID:5048
  - - C:\Windows\SysWOW64\Hgdejd32.exe
      C:\Windows\system32\Hgdejd32.exe
      4⤵
      PID:8984
    - - C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        5⤵
        
        PID:604
      - C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        6⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1016
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        8⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        9⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        10⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8316
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3360
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8448
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        14⤵
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        15⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        16⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        17⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        18⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Jjoiil32.exe
        
        C:\Windows\system32\Jjoiil32.exe
        19⤵
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        20⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        21⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        22⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        23⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        24⤵
        Modifies registry class
        
        PID:8624
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        25⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        26⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        27⤵
        Modifies registry class
        
        PID:8764
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2080
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        29⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        30⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        31⤵
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        32⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        33⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        34⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        35⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        36⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        37⤵
        Drops file in System32 directory
        
        PID:8884
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        38⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        39⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        40⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        41⤵
        Modifies registry class
        
        PID:9080
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        42⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        43⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        44⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        45⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        46⤵
        Modifies registry class
        
        PID:9184
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        47⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        48⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        49⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        50⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        51⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        52⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        53⤵
        
        PID:5572

C:\Windows\SysWOW64\Fbbpmb32.exe
C:\Windows\system32\Fbbpmb32.exe
1⤵
- Modifies registry class
PID:5880
- C:\Windows\SysWOW64\Flkdfh32.exe
  C:\Windows\system32\Flkdfh32.exe
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\Fbelcblk.exe
    C:\Windows\system32\Fbelcblk.exe
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\Fbgihaji.exe
      C:\Windows\system32\Fbgihaji.exe
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        5⤵
        
        PID:3312
      - C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        6⤵
        
        PID:3588

C:\Windows\SysWOW64\Gbnoiqdq.exe
C:\Windows\system32\Gbnoiqdq.exe
1⤵
PID:5832
- C:\Windows\SysWOW64\Gnepna32.exe
  C:\Windows\system32\Gnepna32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6120

C:\Windows\SysWOW64\Iipfmggc.exe
C:\Windows\system32\Iipfmggc.exe
1⤵
PID:4020
- C:\Windows\SysWOW64\Iomoenej.exe
  C:\Windows\system32\Iomoenej.exe
  2⤵
  PID:6728
- - C:\Windows\SysWOW64\Igdgglfl.exe
    C:\Windows\system32\Igdgglfl.exe
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\Iibccgep.exe
      C:\Windows\system32\Iibccgep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6320
    - - C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        5⤵
        
        PID:3616
      - C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        6⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        7⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        10⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        11⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        13⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        14⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        16⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        17⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        18⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        19⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        20⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        21⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        22⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        23⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        24⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        26⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        27⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        28⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        29⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        30⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        31⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        32⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        33⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        34⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        35⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        36⤵
        Drops file in System32 directory
        
        PID:9212
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        37⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        38⤵
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        39⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        40⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        41⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        43⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        44⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        45⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        46⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        47⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        48⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        49⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        50⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        51⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        52⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        53⤵
        
        PID:32
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        54⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        55⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        56⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        57⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        58⤵
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        59⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        60⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        61⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        63⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        64⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        65⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        66⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        67⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        68⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        69⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        70⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        71⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        72⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        73⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        74⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        75⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        76⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        77⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        78⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        79⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        80⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        81⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        82⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        84⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        85⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        86⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9052
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        88⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9016
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        90⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        91⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        92⤵
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        94⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        95⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        96⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        97⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        98⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        99⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        100⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        101⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        102⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        103⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        104⤵
        Drops file in System32 directory
        
        PID:8224
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        105⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        106⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        107⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2088
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        109⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8356
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8180
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        112⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        113⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        114⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        115⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        116⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        118⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        119⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        120⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        121⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        122⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        123⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        124⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        125⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        126⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        127⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        128⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        129⤵
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        130⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        131⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        132⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        133⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        134⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        135⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        136⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        138⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        139⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        140⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        142⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        143⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        144⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        145⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        146⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        147⤵
        Drops file in System32 directory
        
        PID:7904
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        148⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        149⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        150⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        151⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        152⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        153⤵
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        154⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2528
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        156⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        157⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        159⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        161⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        162⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        163⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        164⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        166⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        167⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        168⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        170⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        171⤵
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        172⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        173⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        174⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        176⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        177⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        178⤵
        
        PID:664
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        179⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        180⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        182⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        183⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        184⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        185⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        186⤵
        Modifies registry class
        
        PID:7640
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        189⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        190⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        191⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        192⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        193⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        194⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        195⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        196⤵
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        197⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        198⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        200⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        201⤵
        
        PID:336
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        202⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        203⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        205⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        206⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        207⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        208⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        209⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        210⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        211⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        212⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        213⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        214⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        215⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        216⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4092
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        218⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        219⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        220⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        221⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        222⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        223⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        224⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        225⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        226⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        227⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        229⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        230⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        231⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        232⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        233⤵
        Modifies registry class
        
        PID:9332
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        234⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        235⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        236⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 420
        237⤵
        Program crash
        
        PID:9604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9480 -ip 9480
1⤵
PID:9524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
320KB

MD5
7668a7ce36ee87fc76fc12ed829a9e1e

SHA1
3129bbbdb93c03faec16c216cfe2decb7237151a

SHA256
78acf382817e8c74fd7af5836a0adfe26d6dd4bc9925839a691cfaa78bd99045

SHA512
d5db0cbe740c4abdc1790a3ffc0595453dc1821bce403f198cd6715647df64e88c2eed817d396ffa8f67f0141e183834a914dd740e181ccd5f58c21e0421f326

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
790KB

MD5
94df2cb2612a78bb59f3af8e94ca70a9

SHA1
2210f238f9039138aeae4856747180edb54bd656

SHA256
dd4c2b1ae43a9c41e1145104e5112d293084755480806a0d541746da1adc007b

SHA512
4ee901409cde7e5ac163d21c8fedf6681240b599b1c08b0aca51ce4f4bcd2fedb4d6419e745a9a5544dde98e6602442546eadc2bf23378cd6e77d0290e589a6e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
790KB

MD5
05737b03b6e84cf1ce780e1ca63f7ea8

SHA1
6cce31363d84b0edf6e99a95879d900299d4497b

SHA256
8e4692bcdd8ab0f350b4eff779cd30b88ecfe197cb96eabd03d7d5a71bbde549

SHA512
24f7a2341b4b1b38846bccdf911be78c7083d64ba88761eb30e0c9f466c11f794d071c924b7f657bb31ace76bf38840d7c5e58878ed2034aa50052b0a6250e98

Download Submit
C:\Windows\SysWOW64\Bfhadc32.exe

Filesize
704KB

MD5
c26197d0bf0c61312805fd0760e15bd4

SHA1
50a4b148b9fb5ae191113d9ca680859ce0413b0b

SHA256
7b8fac8cec7dfb6aa4a927a11f2092c06f67666442e47ea66630e3eaac537a05

SHA512
a2689cb44f6107bfdc922f625bef6612156a897ffb1fc9cdb6eb267f5b4c930d7d3234a3a25ccea46e3d05d3302d32916ca36817ee630b2f3e84d54c464d815c

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
790KB

MD5
4eea8ea09590a3800cdfd64254d8f507

SHA1
fa9418b30dbb6e886b8d06500575b6e9ec70f5d3

SHA256
5ae3b3a8112ce0d538fa0ad01312387e7289ecb51910120ad00903835433a9ba

SHA512
081104639c35056a05db3da4c34a2bccc6d76478323604fdca987bae1b183aef9644ee7afea9a12055a0fc66561c9d84e2d79265edd0e6ccfd5dde5830621a6b

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
790KB

MD5
c4aa48c01fe388e00d0a022327573998

SHA1
ba615e4ecad92476f130d605fc1555990bdc24c3

SHA256
42ddce168a6a391da7c3d000f0ec689e1b74b81eacbfa8977957f3ed6456fe51

SHA512
8d1bd45b95b2cd211c3d0b67723b3f5d05cad3727f9c717e0bb295335d298e0ab0969bb2e750e081027f6727e5bcaa904530d97eb877c5447fccbf9be5c2f8e6

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
790KB

MD5
fb26e7b684c1f514a112b77eee8baccb

SHA1
4e57167803a51d10808cc3a01d7fb2628a418987

SHA256
71ba3a9d3887fa97abced89ca36d756ad2ed5891719f61e2acb0359903a5daaa

SHA512
361d109a32c45ec9bb4cf3c84d129d3a9dd37a946027d59bf0b9e08ac752f0332f018734510c2b10dc454bf0caf04e3e6b02ef089765d31403380d585c3a5602

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
790KB

MD5
a9e886c43a288dcf0908f715375c31a0

SHA1
7dec901e094b8c45b2adc3959539c187cf15285c

SHA256
9b36425974d54c3bdbd794499d6b26f6bfce11458035ee757b39cd29e3f19aa1

SHA512
e4e5c383f72c04132945fb49260f669983817ba73407a1aad59336dff8994516d361580ec13cacc0aa327663a67de0de022b832c15b592a88e2c4d987b93184a

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
320KB

MD5
a055192fd37cbb77e4e6bd9aaaaa7cf0

SHA1
12b79ccfdb97243c80909a5b07e5595d4405e4fa

SHA256
359f677f5f908162dad31f7ca328bbda8a9f1d8ea03554033d77339d1059c2d6

SHA512
40817e1bd3c1cd05ceeda5f0c00120438ed571da3a5e149e914c2ed4af60b407f01a8fb56fa1913b04a9df5468c8044f083a0085d7ab132c34504883eb702af9

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
790KB

MD5
d2fd6feb4d9acaffd764717d8f179893

SHA1
3160d9ec3dfe4d33f722547d05ceab040b5bc7c8

SHA256
c17e75874cda70b4d2d9ee38d79411f44259403c393746f9a05d45bff3e9d25d

SHA512
3cb2ed6a259e73c1732f12d35bf2d404dabfe418f9404f998b5a0025173aa93fa769f937a84153f69150a0aaa41a62073126d95a2f42afed9c86b6060008f193

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
790KB

MD5
19262d987da8f7604e9e25e9976f5245

SHA1
c9226d1a203dae709399015a7623c1a3bd6b351d

SHA256
9cd7f522b6cf7534c41c7504f5e8de86927a5eb704965a393eab8e71c253d017

SHA512
c83f468943859f8cb19a95abe5e6c63304546c07fde3847bd066477fea7d4b0c815f087bd23549ef3f9919cbce033bb74a2f0540d96e83b216b53b53cc6fa7fa

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
576KB

MD5
1a44b575bca844a5bc07cbf6a8b15666

SHA1
a85f43de5be6bfbf8468a268bc664d586b1f64b6

SHA256
efd370680028b8aed969ba8b9c08b1afff0921c9baa7ada77457e4d34c9b9d70

SHA512
d437b3518764b08ce783d9ffb5a905b301ba0c202387e733442c2bcd256b8bad162882184e1ab891b1be385029225e9e8bfff96750dd885003b7d5378cd54315

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
790KB

MD5
a49b43058db4c8e1d2eee6e05d55c6a7

SHA1
614e28b645ef71ec8d73f07ad76492336c87a4f0

SHA256
96e14daf3a2a96ec5e887be941ba8d70493fdc7102a4ffae7fe6e89e6ed678fb

SHA512
168c98a7c67400eb1a5606fa4998a65fc833c346db47192d66881b785b39a9e47e8433d9f88c8e56698a6b953ca4d4882a595bd657d11776498a8c2f675b5113

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
790KB

MD5
2f6b619e59f415651455f42e85d7821f

SHA1
c28e15c61bb337ca43d8cb1a9375977f96489cae

SHA256
771f0a9453e8de4efb896e954f0f868e8c7645a9b63e069160eb3be983388270

SHA512
31dcfed4357c938cab3c9b8ea0e6fb491e3ae8422750c691c41fe48c26e69f9ef0eb5865da0cd72a246666a382b23234e522b8537bcc625381983e068af738cc

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
790KB

MD5
0f64bfa7433f0f4ac23b3a55b07aa3cf

SHA1
0b3e2b0033c062bc9665d2dd0cd8c3ed1c479973

SHA256
7a70c1b097ec8031f0fe78136e66fd7a35713513ecd7d11acc12b594b94dce34

SHA512
ad506ecdface7e40b60695982b8e13be5084b514cc85a320214aa7abf8700032a2472b2342766176f2c5b51de8b2ca789b7f0b0b15037be10b8b78548d363b35

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
704KB

MD5
ca27415978cc6ab1d211b9620893a303

SHA1
880be0ef904667bd4e3186bf1f55a67a178c3f69

SHA256
e8c721a2e1f39dd15fcadd54d93d811b6fbd8fdbbd4498769c006309b6ef5190

SHA512
f71afa1b245f20e888580e578c3e4ff3ed14674de08e8f31d0efa7510feb1a496f2cdbcb26d3e39003127b3ea87772e04cdef678a6a2c96d02d7eedcbea19d26

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
790KB

MD5
b272a346d584d8cbc3bc18d6a69c1807

SHA1
7c4b5b64e80d4e3ab3a7ef870d3b4036ea8b42a0

SHA256
a9ea16eb0fc92489074ceceb19cd8626f96204a5348ecaa5869b717f260da9b7

SHA512
3aa8a21bb622b1b5196413f7949a89c7ad33d7b0dacc0f1f788fb688f836f3a1390e46aa488d47731cb40e1b79790ec8a68b4e6e29cc6dff46525af600fed712

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
790KB

MD5
bc6749bd5f0f8849f94824f0dc709c3a

SHA1
ebe776beff7d2586c26e17ba537abc9d73c28424

SHA256
1b1489a0e0cfa8cdcd83189f90d02f53a6a6e1bc2b793f7e0a8d6eff90574543

SHA512
edbceb8387044640ec08b24ce9ea42cf189528666d65de5053e5d0c52e719a8e46f0c43a4ed847caea4722852d5bed48476d1dfa08104989cf0fc8fe9c012206

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
320KB

MD5
708f9d7fdac486b9c3d699a123c092c9

SHA1
ec0caf5686043a4b9d922ae92ec23fdf67574a47

SHA256
5fd0032d9e284b6dd6973425ff9f3849dfb2eb6d664f8f0f5987983ca7cc0ee5

SHA512
d3f963f1ec3505eb2c75395415b08ed2da5db2c0abe449a1f9507c9e461463ddb4f83a3038526d687e167c7c745ac0d079d19b462153bcc0b46e7434eeaef173

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
790KB

MD5
894525b4901f83b94c203a58a46c8284

SHA1
a2ddef2769d74c407ab5c6bb23808699232805dc

SHA256
1e9163bb10cc0393ca1f6434e928c21ca82bdffa6415a39fc1a9a1de8413110e

SHA512
686926cbb1d755403f7832c43350c5e1638b6eafe09fd6ae4a5221d1c77704524d7c7fe63c37a8321a312060e266b5f3485326f2d223685d9b4bfdf095d0630d

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
192KB

MD5
a2ef52251e017a2675c380b3466fb2ab

SHA1
abeb6d34e2d6ab1877221f1e45271db87a6d5020

SHA256
73f136f849d91f8c020b677751fcfd83df6ac0c61b7d773413ae0373231e6492

SHA512
392bcd12e87a69ce1db51f475df773f5ebc1ed5d1e71d906c55d9a3bf23da00d96613824cfb0994cd13cdef313b379ca5ea958a5295799304fb9ce55a08dfdf5

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
790KB

MD5
385c433c19b54d436295b1cdfb519ac9

SHA1
17c14d5f0bf132302f3fcba5f12626e844ad5116

SHA256
b6f3efe4b6ccef303859c2e9d089a681d084495c5aa379770c43666d89b6ce55

SHA512
4386e8a1b18c85df54dee8afae9469f81baaccb0b6bd83b5a2f22c0da176013e8f58967c3cafb84306a7af6282b3c5b0fad1b3379e26209c59bee1a2c579dbd0

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
790KB

MD5
35ae111aada7ca5889511037df9d27d3

SHA1
3e81a4a0fd11718573be47e47601305b70439c43

SHA256
eed01f2e42c54905c98798284e138d564a074c18f4d9728f277929cf0ff73ef2

SHA512
1eb64c4be0a287ab9c7ff340bde7cf2dd55cd1f1c61069fe97bc9bfa9ff60840ff2bc35c6cac09d4d46b9001c8cce6a9a3760e855707db8ffb18f23af9184c60

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
790KB

MD5
c4d9b5d4c696d0ef6394f6672ef769c8

SHA1
8b44608c8bf7e090a77659f9aafd2ee5c982e7e9

SHA256
11c6dea1a4002fd92e2abe211050f45692210a507fb4833bc3a62a03250cabe1

SHA512
6939ba3ad0a3b32458a794912a248cc9ddccc466ff694125f46ba37330d19b779c739d0b55e10473a0b64f52982fc27cefda8de4d50e62ea9a67c6fa422d85d5

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
790KB

MD5
8f49bbe057038f5030133501cb658437

SHA1
d9eb599df1d400c5d68fd9486f9f6ae7a91b477b

SHA256
f79bdbecaf38eee29dc72d913de0456d04a82e0f3e1dd9c10933cead91c84b92

SHA512
7ed91472da101e81f8a5f3d0f0af4ef818034c39e470baf6087a3d5c55ff5f53626a9b8e4aec264ed61d2332cf66d4e80f6fa0f890d04ae57bc25a0022852428

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
790KB

MD5
ff101e22736cc1b45c8969af0a1bd707

SHA1
161e8f741e47b2db1368fcae05ae5f72a9233242

SHA256
1a2a58e87c61dfe5f17e90849c61125ab13b8a3b0e56208c0ebbec8418e46b81

SHA512
1defc3ba5cc9d1243141c3031bec4a6d36a6f7072cbb37f97011b4fbc3eac9dd8fe747bba7c0471e087158247ecf43ea4ce36d5dc9b349319b21d69d00c99e16

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
115KB

MD5
4a5a4121d1b28eeee0757324153359c0

SHA1
bc0307bb90b5c823b76d1db930d70738e73bc38b

SHA256
a47dfe7fb50e0cf6e29b5585b536dae1741d20b3c74c24febb327b5bbd5210cd

SHA512
11202912acafe71caed253af16d982f939d7d74b21ca02aba153d1adc9abbed3f40a2b14507d191f659a7c548d5eb1918da28f009c9b95f671e8f048f1343807

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
790KB

MD5
e0bd2e67b75048c528fca6563c01b14c

SHA1
faa7dabec72968752b52f01ed19257f76f953cc4

SHA256
8c82edb65c589e7d862c499f1bbc86a01bfea24abbd99000c2907fd0c73798d5

SHA512
3e83d44b655e9adf6927ec00f85f47adcd18afe30c3c73ed4a26bd92159edb87a2c489a7c4ae15755ccec3ef2a269d8de38440a500eb9dcf7625cf96c86538e8

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
790KB

MD5
20f40e1034f26a05c6b9e8bc16415b3a

SHA1
f6b983aa13cc61f26b27eaba546ac78f877f6223

SHA256
c313ea3aa2300d8c50b884616d5ba8f6bd5647c3d99f419846f74029ae15ab13

SHA512
f4379e468abb46bfaeacb2810806b867dc3344adc2d522b57511f792f46440d8e6c7df0e6399d697bcb9a8c5e71119a8eae372bbaf40d438ecbdb361f472624c

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
448KB

MD5
a695a3518a2008da7941c06aca4eaab5

SHA1
9389a58f8ed7f8a7d212a622e4b6f072548e5d3a

SHA256
e7c14e4e8ce473684a27e1db13e71c8252abbce84d96145848b8367104d19273

SHA512
7985303aa79430b4708b2da7db679b4ca73f0842372d25ea8887a6dd1f22fb3939f43e01a0b184c677c0f9fce7d8f6730cf14a1ba42fe27f17b41792d7c59cca

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
790KB

MD5
693927dabede0592ac0aca4dee15fb25

SHA1
8683ec7b179814b0de56937ca2e0341da2395937

SHA256
5c363478bff7bae81f312f430fb5e5b32427431aec4362ab91089cd15af0b48d

SHA512
675c82ffeaebda34388a43d172e676f702f9fcd226302b0eda54470849275aff5e36bbdba2c6e50d6bc2a5af3fe935acf56701c28cbd66d0674084fd02f7e996

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
576KB

MD5
8d829ed1ad22a3ece03fc32e8fdfb517

SHA1
6c777b083e3e12e55aa1bc3cb4dc06002fef4df8

SHA256
b24bfbe727683ecbf96230ed7e23e22ff2fab15328eb3bb2debcee3fe7e63d48

SHA512
0ac9010ec126aff201e63406a44cda346916fc268a8de7d34a5651c7e055875cbc9bd3cad94a7fa058e87436a8508bebd5871ebbc56f5a4649d2ec4b69fef1cf

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
790KB

MD5
6c01ff4e61c09338dc51f74ee53cb214

SHA1
3d9933c57d9f71ef5d31077addd2fdf4caccaf6e

SHA256
a0aa849941b9e9f957716eb42b5d3475b16fa6e0f311cce26f4f99d8692ec198

SHA512
5c7c8c59f6aa4d5fabcfd0700f1136a9a929525554aecd5d19b0f980db7b4aabc517dfcaaffd95f79d6241ff9bcc1f7a189ae8ec57f94e02d197ae0ecb744a67

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
790KB

MD5
0084c05b4f2cdc754cfbb158393898ae

SHA1
1936826349c740fea3d32c57abbf8d6e886881eb

SHA256
f7be3c39b9ebe42498e838898219aab7d47e82bea7f8a2b899ba4e17ede483e5

SHA512
8c1b17b6028e78c8d972525b142cdcaa89d8121c68798b48f4a91419a410ea3d5a7a9382d0207e1a165f007b6fbb03873e9094f1ca02b2293c540e2ea5a594ed

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
790KB

MD5
e28290ddf2b0945462786ddd6532d6c0

SHA1
70366cc25a4e67ccf1a7bc377e043361c6993f3f

SHA256
5c47d605cae0e58006df74f9b33483fff35fc6bcca1ef6548f98f3957739fea1

SHA512
a59e60efc4461df4aa0abc782ec114e1506bd894ae64edec786c88fce73bdee4e060a1d57ed7157b0a84129be423a4ef7dde01145c2c07f0da1c137e0d3a3be3

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
241KB

MD5
7b17d984c1eed764a740fe63f814e000

SHA1
5476689b314550e337e13c8f3a3c74bf2361124b

SHA256
3379265240668629fb71b788f9b824e236632ea9d05d1e6b69c6740e15ed9ae9

SHA512
9bf5888ae8bdbf505a1fa09ef9a46f3c00890d0a58edbf562c101ce0b8356830f546ac31f0afcdda9a901a9a89816699069690841b69d7579de43afc79a0c40f

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
790KB

MD5
4e300e9761c43b5c7a1271b38323de87

SHA1
378ae67974f0f9fa9bcac1d87f8ed446d8a86cb7

SHA256
8c5f775aae46bb00c9fb457c2441bd83fc0d9940b4fe028430324d8df188ab62

SHA512
e21b5c425ce6e503a197a45c59285d3e679cc7a29af96f65d2fc926e232bee653069661f150ffe1aac25a9146ae5fc9a0b1ce058b158bb12e438d1ac21d7a7ec

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
790KB

MD5
cdfd9476dc1e769c9152c8eb5d6d921f

SHA1
e2883da61d37a27fd6d3aa6d6813d8d43d397182

SHA256
40bf576f222f4f1f6164faf6d12604cb2cb7d4cda9bb9f3fdd075c9c3722cd55

SHA512
e2b2d6e0df6bc0428e80fd83c40c4465d0f872bdd96d83dd331b2e0d96dfd402e514a82f40f83b03508d900197f5024c82a76000eb5100ee0b434536842337ff

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
790KB

MD5
fe0dddc2735c2d1857fd1f62619b7261

SHA1
5c4684cd22caa724ed7216ed8d2983ea131e8131

SHA256
b4d34df31c3628e7212c9dc0bdff295563a49bda4bf94c8f309ca23f8c4b59ea

SHA512
a9e47300e2cbca09b3ba83df4484396db17b9691f715ee71d00824932e123fcf5eaa8a61ebbde7eca0c8979d8433b50dbdd6bc65dff8460884de9e21ff256b33

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
790KB

MD5
9e32217e1e9ed8d4b14e3aa5a29d5292

SHA1
f3776b97c64ac556c36552ec76589c3cb844cde4

SHA256
25e9df94ad57fde21ecaaf73400f583ced795034c2f1668e766686584392ead2

SHA512
5a6b0330d22b782ba9ab55b03496006e4fa6a2b4572120c53ed3e2114bcffe68709d23a48f7d3570ed944494d1172789a36000c1f6bb7b68de491b3f146e4cba

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
790KB

MD5
08538577a0a1c7b1de223e55eb5be330

SHA1
a17a0e66610c32089e10ea982034be8864d3e845

SHA256
39a72a313ad50f0714bc7f2f0d501205fadfe882fe8cfd5629da60bde79e56df

SHA512
59f5643ec193fa24325a866f32d8d5b754e3e2bbf2f63f0e8858c2e8c1919a2ffffbf22f6826b3b29b2fec175ac5edb66e3f50c7dfcc742607d6211410eb3681

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
790KB

MD5
1fa430e88fdb2a061445de56b1309143

SHA1
f24f03ef76e847a99321149207bf8e43fa3a1c7b

SHA256
0291a556af3c2218e50d639c7edc618e33964abb1a1d683b7cf1ba5b276eaf9f

SHA512
5866efab0ad714166a683be56618d9b07d9196e5724f37c5f16222cb573571e2f83f06623a39f7ef0e55dd47291353188175e1264d35e69cbb7cb387e652bfb3

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
192KB

MD5
ba9157c323aaa5bda99284eabc460026

SHA1
5681d0701b4bf214ebcef78f5e4ea9010576b768

SHA256
2111416b797ecaf940d6b1989bf1a293be74f30e2fa343e6e9114b5bb210031d

SHA512
dbed8f67549d1058e77934ead7c16d697d997a4688b58c12ff43abf45919ad7bd9b0495dbd62d39ee4c649081e7462210a3c3f7ea1c1be00dbdbd376e93bcb91

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
790KB

MD5
3fff5af3285ef8442aa3250568f8404c

SHA1
522102cf41913e8ec188e91085b738130c099f48

SHA256
2b37a707f6667f6456133c428be1446297af3322721e5ae50cad644a9a5fe70f

SHA512
c433977040866e84d2d86dfb07b25a8afd14cec0fbc71bcfc417e598d707fe5f4cf403d72b15892bffb94f9047265b8057c59fda9296ce13de6f2bb99fcb0ada

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
790KB

MD5
c6947f964723d2c675cbddf8b19ba124

SHA1
87dca5def0ff21f979df6db6c3d394cc202cf87c

SHA256
98888630b21d680c5d8d24b597487608654c3e17d23d144357a36f49f436b339

SHA512
26eb26557119fae00e7c24e86d5c45cc35bbb6f3a7a1ecc31fe030b9bb590a63be01aaa9447470b170439a034116da6f6200025da9ff85ab78e511b8301764b0

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
790KB

MD5
0cdd9ce6e961313ef3a2b9f69f2802d1

SHA1
71e9c7d75b3da89cc08a333c04df1f68ce4b3f6b

SHA256
f695df279a6f5f872b3770a7c929133c029edafb014f27d05c9fe8a8a6d743f3

SHA512
f39a87629f3d4b529b65edd7576680ce88288e3d0ef3c6675e5021a830e11fe0a674e95a9430c43a1f4f73d006753ec5f2016c713d6ad670016d7f0aac49f6e9

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
790KB

MD5
7bd2a412b8bb229c0d10fe8e9ab5757c

SHA1
eced8391ad9ab6f55fcb354c92cd50fede39f596

SHA256
acb74da54c7edabe22ec99c336da332f4c7719076aa51b46a70dc52f976bdcc0

SHA512
6e61f24272396c1fee2ddbec142f8a183de07d695ea9b74ad02f5da16a377c33c41d6309e578d8599b939aa1571ab85f32754edc4642451d3e3c8aaba05e6301

Download Submit
C:\Windows\SysWOW64\Gnfhfl32.exe

Filesize
790KB

MD5
2e23af41caf729b29ec195ba2d4cf549

SHA1
fbeeb37183e23e303710078e962e773866b59d3c

SHA256
6634ea450dc7b54a1a8f6f6e24d9f6afc56256c5b9b01c08ae34d82e9a976bab

SHA512
e7fbb305393e39c0981abea2664fb1d316723601a83899905edc6b50375f9480b540a9277564d3abe7df7b9d4ec48e59a942b99e07f7755f64976758e0cc92e7

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
790KB

MD5
18613498f02bd6ee6aab4c31ae55b893

SHA1
f38f7cacf51c4e67527db241a67a5a403d6707d3

SHA256
b38f7bc1392ccb85f2df274258a0e16303c39db03ecde4581a6eb18938b01c50

SHA512
dbcb82827e7559fc91876c683ea04476dc6cb005e3b17a11d7700731fca5f2724575359ccb8b5cac0704e53843926f34ef3a0ea21451bcbbff7d201f342a0be0

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
790KB

MD5
e2d98259bab3e23c6024f674e4e45ad0

SHA1
580750c1ab77fdb83fb0c0735b299d8288dae736

SHA256
5d2543f77d780839ee5167a92db0f7adc2ae1e61aac4d463c8e13425bd66df12

SHA512
c2a42ce81d03ba738c110b40054c98b7fda78b09a4f3a92ce3d29294646488d9e9e995ca26d93e4c491aaad9da51fcaca4eb55c80dc9fec3740dafc78f126ed2

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
790KB

MD5
57b0411fc5ca70963786ef670c1e9538

SHA1
deaba5dd269354f7545a5875c73055bc918c7e44

SHA256
ad802b7013b86cbaa24fdd9e5a4a88d09077941ede6af37782c82df1fa7c967b

SHA512
92d99ecd9162b39efa1b36f9caf560ba359bc63d684f58fdeadcaaef528126f8fa9f3659bbb550f6663a263e72768402af0729e198d6ac96ac75e8a9350b4107

Download Submit
C:\Windows\SysWOW64\Iddljmpc.exe

Filesize
790KB

MD5
28988a30540f95c67c9bc609f74ac016

SHA1
1b37f589da4b0d1ad1709c547222368b0fdfec3f

SHA256
05a66c4978ca68326ba9f078106b64ecb8f539e34be85c203d4cb0a11da000a3

SHA512
3a3441d404be0083c88de69fffd4560cf0811e3685431619a1edb1c96d18ca3f466dfe09f02832846727954b798484e9f678d839a4ef9e5d69be39330d61c8e4

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
790KB

MD5
215523ce034d847ed47539e029894716

SHA1
dee1450f6dea9b3f946c9ad7d04cc3dba45910d2

SHA256
e1ecadb441dfa7fbc30db0a2171e7f350986c9000265b5f611c2ecbba5d8ae1d

SHA512
546efd1170e49fff8670eae622639da25ebf438d0e1f2f6c9674f48f085ae4642c96bf8209c622fa2bb77deb07fa2c9cac9700d4e12842c91bc46ecfee065e6f

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
790KB

MD5
50e2dc0dddefd448fdd6f915f2e8d3f2

SHA1
0981af5f292877a71a29908a3feced534be30760

SHA256
e137dad4dc3f6b0cd587942aa39768a2cf7fe01753fb5458f3aba4944ce799b9

SHA512
744080cad7cc5ec55d986a04612c63a0edd2af983494357a78c9f7002c6ad09c4504495d0cd7501101cff4117611a124c52322e19b19e3afe4cc44032ba5ab3d

Download Submit
C:\Windows\SysWOW64\Mdmaef32.dll

Filesize
7KB

MD5
b6275167d5eeeaa4a04619d37600bd73

SHA1
31e47f6ec1e267c6c27ee9ec0c9db09e43a26d0c

SHA256
8fb3d8a3333ffe078c41a0978a61d02eee9a85358bf35b3ab46c9909921cc8a2

SHA512
78dfbcf3db933b3807d391875e097395a94df1651c3b1bd695d6e8a0b394cf5ed3c5714c805d216e9ba66a3e279d0c13483d0af206d634f7ccc97b371318e9d8

Download Submit
C:\Windows\SysWOW64\Njghbl32.exe

Filesize
790KB

MD5
a257ab2e9883f1dc30fadec160c10369

SHA1
d79413d258266ace60c75119c485c6bf149cd57d

SHA256
3a8ae5015eeabf5a7409ef52142a31f69084b170136b8798ef4df36d87cd99b5

SHA512
db7a13210fa3eaf89ff2aae67cc71667ce2d6e0d47b51fe8c421e7724a3ce8e9bb6b94c1846cab61abcdbdd7df453116021f34d51fc467c5bb827914fc76e283

Download Submit
C:\Windows\SysWOW64\Nognnj32.exe

Filesize
790KB

MD5
787fc1516257947d6742974b12a7f888

SHA1
92c8d9873a52f67a5b5cd49b42a4443a8b1fef72

SHA256
49b9004ebc1603a16acfada1a8236459c7400f3e4544276626af7c81e8e4e745

SHA512
d12d71fa2cf3f305b143c154141cb040523a97be8ff256c8d36786d911650f0564f12090995c4a1758ffe8b8b25859875b79c904eae7a665bc0962deda49077a

Download Submit
C:\Windows\SysWOW64\Oampjeml.exe

Filesize
790KB

MD5
baa5cc534b4331092e66db0778213526

SHA1
ceaf061884874a25de9b95d5a424f9f09d908b8b

SHA256
384692a48b814a9a8c52eecc37f4d7ffa57bc40d8c526917e92082907612b302

SHA512
7ab97cfa773fd5f2d5b04eb600cd36d94e2c977db33ed5e628355a8d999e2d340f196d933952cf6a7389a7e11c9bad4d8b1aa01923da5b5eb204ff3fff78a6c3

Download Submit
C:\Windows\SysWOW64\Oohgdhfn.exe

Filesize
790KB

MD5
f9b950567ee25b2c0928983d49b637da

SHA1
a514b2c90ae28be8de32de701f57156e9bab23b8

SHA256
fc6aecb4f9310b15143bd42f6a3b9fb08b81f7be5392f01118689db9b35575d0

SHA512
ff547d3b1d2db0b2d68b5d393532e7f28b959ba2fb169945b77be35829401cdb531b1692fb9180239ee8a4dec68f91e06a4dd60d933949cdaa036e9cf082343b

Download Submit
C:\Windows\SysWOW64\Pcobaedj.exe

Filesize
790KB

MD5
e83adb6a212229151a4258ada20694fb

SHA1
7af9329b0de68ae9dab3bc968642ee8545a8e285

SHA256
ef69d549fff457fea9c728dacffbe23ec7ff8b712976c8ef915076c0132af1a6

SHA512
8bd03b0eb4a1755efbbff09e404662aebb0f6a4c544e3281453c8feaa78847b8cd68b422b7c8f0f586a3f7cea69f051511357733ca03dccb735c8df654031914

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
790KB

MD5
6a2c99c2cb4e06ad0051759b3a962464

SHA1
ba614de1c17a5164715b344f25ddf1c6a73e3b75

SHA256
c2157bea4ee2dd6ab742458843299da99370f0b546b6088e2f79c8bf4751560a

SHA512
009ac0a1eae0f772827d0d202132602cd75dc9a0022044c5773a5a326136c4284951a658f77e448268ed4ff7ca8221b5ce4e7f556c8a0f39afce9c7b9efa2a52

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
790KB

MD5
ab54b87f2c8df554cb5b58a3ed076f00

SHA1
e66fb870cf22517ac70557bd7f1549e6129bc1bd

SHA256
57bd9b943333a2791f081c43e69221bd13455f2c437df620704190fd81b4d450

SHA512
b585a62c3ef45e85112e1ff0a27ecf522e57a573c897aa6545ca5de9f6fed79bb25097a08debed1e86b96b245026aba9527161b69cb169d6d4c96bf3c14c4797

Download Submit
C:\Windows\SysWOW64\Pkadoiip.exe

Filesize
790KB

MD5
b66f633fdc9fd805f5afa8d550ec8f54

SHA1
ba297dd5caaf9b007d06bbd35a5bc9daa89b239f

SHA256
88b0d8b75475660106e72c8fd7dc37accea2b26ccb28f0d9884c869ce9f664bd

SHA512
663b2705e2236e9756541ea3a3df4c3991184c4f646632e6b80984af4e6c1a3b76335d834f072bf3b190f08c91d87032dbf1eb4353ceb601ea6a037a3d10d5d6

Download Submit
C:\Windows\SysWOW64\Poajkgnc.exe

Filesize
790KB

MD5
671f4b60b8445e948db883a515bde98c

SHA1
48f1289e522d3ffe3bf6dd62935ff93fd1479ac8

SHA256
aa9db04784a62a2d543ae346d14fcf5b609dd00e620c28d05661e9e5c8d8562c

SHA512
5793b52cc3389675554751477b67981ad0d1bd90787590295c434d1a30f8b6e7348b83bb9e9644d9b08dbbde8eec90ac68b79a4d5055d90e312a066e321e7e57

Download Submit
memory/8-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-1091-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-1098-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-884-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-635-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-1111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads