ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047

Resubmissions

06-03-2024 22:44

240306-2n383abc33 10

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe
Size

72KB
MD5

0da60aeccf47f1228217da71da81d8e3
SHA1

f606381c1316806c40bc2b03656750c954dc52b9
SHA256

ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047
SHA512

eddcea6cad81ce6ffef0316ef5f4e5fb89767d280585659fc261b16484a64edd5dbaf27c93f89cf8e0a73f47d1e9c64bd445feca30deca4be9cd4821c792708b
SSDEEP

1536:LEXRkfAtLu6FXkehsUHcQ5SQUMY4NaQbiLDPQK4:vfKHFptnXaQb4D4K4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npedmdab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhpgofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knlleepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgamnded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjpijpdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mehcdfch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mleoafmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fineoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkobmnka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfaohbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahhio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkehkocf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccnncgmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehcfaboo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgdhgmep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihagaji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmmmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnbqnjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfpojead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cimcan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eemgplno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlbhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foclgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miofjepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgjndno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnaokmco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keqdmihc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfkbde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgppmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajagj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Papfgbmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe

Executes dropped EXE 64 IoCs

pid	Process
3568	Kbceejpf.exe
4568	Klljnp32.exe
4408	Kfankifm.exe
5004	Kdeoemeg.exe
4348	Kefkme32.exe
4752	Lbjlfi32.exe
2256	Liddbc32.exe
4304	Ldjhpl32.exe
3168	Ligqhc32.exe
1960	Lpqiemge.exe
3260	Lboeaifi.exe
3188	Lpcfkm32.exe
1668	Lgmngglp.exe
3652	Lljfpnjg.exe
632	Mpjlklok.exe
4420	Megdccmb.exe
3408	Mplhql32.exe
488	Mmpijp32.exe
3704	Mpoefk32.exe
3952	Migjoaaf.exe
1772	Mcpnhfhf.exe
2636	Mnebeogl.exe
2144	Ndokbi32.exe
4736	Onjegled.exe
3008	Oqhacgdh.exe
1368	Ogbipa32.exe
3688	Pdfjifjo.exe
1144	Pcijeb32.exe
212	Pmannhhj.exe
4552	Pggbkagp.exe
5096	Pqpgdfnp.exe
3536	Pflplnlg.exe
1964	Pncgmkmj.exe
3432	Pdmpje32.exe
3512	Pfolbmje.exe
4548	Pmidog32.exe
2360	Pfaigm32.exe
2444	Qmkadgpo.exe
2692	Qdbiedpa.exe
4248	Qjoankoi.exe
2160	Qmmnjfnl.exe
1568	Qcgffqei.exe
2624	Ajanck32.exe
4912	Aqkgpedc.exe
3348	Acjclpcf.exe
5144	Aqncedbp.exe
5188	Agglboim.exe
5228	Amddjegd.exe
5268	Afmhck32.exe
5316	Amgapeea.exe
5356	Aepefb32.exe
5412	Bjmnoi32.exe
5468	Bebblb32.exe
5508	Beeoaapl.exe
5548	Bgcknmop.exe
5596	Beglgani.exe
5648	Bgehcmmm.exe
5688	Bnpppgdj.exe
5728	Bjfaeh32.exe
5768	Belebq32.exe
5836	Cfmajipb.exe
5888	Cmgjgcgo.exe
5932	Chmndlge.exe
5980	Cfpnph32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Klkcdj32.exe	Kimghn32.exe
File created	C:\Windows\SysWOW64\Qhmqdemc.exe	Pocpfphe.exe
File created	C:\Windows\SysWOW64\Iokifhcf.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Kijchhbo.exe	Kbpkkn32.exe
File opened for modification	C:\Windows\SysWOW64\Mmfkhmdi.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Mbedga32.exe	Mpghkf32.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Lobjni32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Eiobceef.exe	Ejlbhh32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Qglobbdg.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Kemooo32.exe	Kcoccc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Hghoeqmp.exe	Hheoid32.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Lindkm32.exe	Likhem32.exe
File opened for modification	C:\Windows\SysWOW64\Bkobmnka.exe	Bhnikc32.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Memicmfo.dll	Bjfjka32.exe
File created	C:\Windows\SysWOW64\Kjmejc32.dll	Dgjoif32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Gkaopp32.exe	Ghbbcd32.exe
File created	C:\Windows\SysWOW64\Pgdhgbbj.dll	Oidofh32.exe
File created	C:\Windows\SysWOW64\Oampjeml.exe	Oondnini.exe
File created	C:\Windows\SysWOW64\Kdmqmc32.exe	Kjhloj32.exe
File opened for modification	C:\Windows\SysWOW64\Iebngial.exe	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ifgldfio.exe	Iomcgl32.exe
File opened for modification	C:\Windows\SysWOW64\Iomcgl32.exe	Iickkbje.exe
File opened for modification	C:\Windows\SysWOW64\Ifleoe32.exe	Ioambknl.exe
File opened for modification	C:\Windows\SysWOW64\Knlleepl.exe	Klmpiiai.exe
File created	C:\Windows\SysWOW64\Bfpjcbmh.dll	Lhncdi32.exe
File created	C:\Windows\SysWOW64\Bogcgj32.exe	Aimkjp32.exe
File created	C:\Windows\SysWOW64\Iadenp32.dll	Nafjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Hbbmmi32.exe	Hkhdqoac.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Jcgnbaeo.exe	Jcbdgb32.exe
File created	C:\Windows\SysWOW64\Likhem32.exe	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Eolhbc32.exe	Ehapfiem.exe
File created	C:\Windows\SysWOW64\Gojnko32.exe	Ghpendjj.exe
File created	C:\Windows\SysWOW64\Ikcdlmgf.exe	Ifgldfio.exe
File created	C:\Windows\SysWOW64\Emehdh32.exe	Ejflhm32.exe
File created	C:\Windows\SysWOW64\Ackhdo32.dll	Gbabigfj.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Kjeiodek.exe	Koodbl32.exe
File opened for modification	C:\Windows\SysWOW64\Najceeoo.exe	Nafjjf32.exe
File created	C:\Windows\SysWOW64\Fiqjke32.exe	Feenjgfq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11376	10100	WerFault.exe	894

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gddinf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbedga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kechmoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Momcpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbolp32.dll"	Klmpiiai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfhnaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqaffn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefplh32.dll"	Lfhnaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fggocmhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkehkocf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqcck32.dll"	Mfcmmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpleig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoonaj32.dll"	Igjeanmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll"	Ebhglj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbch32.dll"	Cpglnhad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfhjkabi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mldhfpib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpodlbng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oanjomjp.dll"	Nenbjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll"	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eaonjngh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klkcdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfbobf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkcbcna.dll"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjnam32.dll"	Ackigjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fineoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbddfmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll"	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkleeplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjaifp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lihpif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknombmk.dll"	Nlphbnoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hheoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgakbm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3568	4764	ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe	94
PID 4764 wrote to memory of 3568	4764	ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe	94
PID 4764 wrote to memory of 3568	4764	ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe	94
PID 3568 wrote to memory of 4568	3568	Kbceejpf.exe	95
PID 3568 wrote to memory of 4568	3568	Kbceejpf.exe	95
PID 3568 wrote to memory of 4568	3568	Kbceejpf.exe	95
PID 4568 wrote to memory of 4408	4568	Klljnp32.exe	96
PID 4568 wrote to memory of 4408	4568	Klljnp32.exe	96
PID 4568 wrote to memory of 4408	4568	Klljnp32.exe	96
PID 4408 wrote to memory of 5004	4408	Kfankifm.exe	97
PID 4408 wrote to memory of 5004	4408	Kfankifm.exe	97
PID 4408 wrote to memory of 5004	4408	Kfankifm.exe	97
PID 5004 wrote to memory of 4348	5004	Kdeoemeg.exe	98
PID 5004 wrote to memory of 4348	5004	Kdeoemeg.exe	98
PID 5004 wrote to memory of 4348	5004	Kdeoemeg.exe	98
PID 4348 wrote to memory of 4752	4348	Kefkme32.exe	99
PID 4348 wrote to memory of 4752	4348	Kefkme32.exe	99
PID 4348 wrote to memory of 4752	4348	Kefkme32.exe	99
PID 4752 wrote to memory of 2256	4752	Lbjlfi32.exe	101
PID 4752 wrote to memory of 2256	4752	Lbjlfi32.exe	101
PID 4752 wrote to memory of 2256	4752	Lbjlfi32.exe	101
PID 2256 wrote to memory of 4304	2256	Liddbc32.exe	102
PID 2256 wrote to memory of 4304	2256	Liddbc32.exe	102
PID 2256 wrote to memory of 4304	2256	Liddbc32.exe	102
PID 4304 wrote to memory of 3168	4304	Ldjhpl32.exe	103
PID 4304 wrote to memory of 3168	4304	Ldjhpl32.exe	103
PID 4304 wrote to memory of 3168	4304	Ldjhpl32.exe	103
PID 3168 wrote to memory of 1960	3168	Ligqhc32.exe	104
PID 3168 wrote to memory of 1960	3168	Ligqhc32.exe	104
PID 3168 wrote to memory of 1960	3168	Ligqhc32.exe	104
PID 1960 wrote to memory of 3260	1960	Lpqiemge.exe	105
PID 1960 wrote to memory of 3260	1960	Lpqiemge.exe	105
PID 1960 wrote to memory of 3260	1960	Lpqiemge.exe	105
PID 3260 wrote to memory of 3188	3260	Lboeaifi.exe	106
PID 3260 wrote to memory of 3188	3260	Lboeaifi.exe	106
PID 3260 wrote to memory of 3188	3260	Lboeaifi.exe	106
PID 3188 wrote to memory of 1668	3188	Lpcfkm32.exe	107
PID 3188 wrote to memory of 1668	3188	Lpcfkm32.exe	107
PID 3188 wrote to memory of 1668	3188	Lpcfkm32.exe	107
PID 1668 wrote to memory of 3652	1668	Lgmngglp.exe	108
PID 1668 wrote to memory of 3652	1668	Lgmngglp.exe	108
PID 1668 wrote to memory of 3652	1668	Lgmngglp.exe	108
PID 3652 wrote to memory of 632	3652	Lljfpnjg.exe	109
PID 3652 wrote to memory of 632	3652	Lljfpnjg.exe	109
PID 3652 wrote to memory of 632	3652	Lljfpnjg.exe	109
PID 632 wrote to memory of 4420	632	Mpjlklok.exe	110
PID 632 wrote to memory of 4420	632	Mpjlklok.exe	110
PID 632 wrote to memory of 4420	632	Mpjlklok.exe	110
PID 4420 wrote to memory of 3408	4420	Megdccmb.exe	112
PID 4420 wrote to memory of 3408	4420	Megdccmb.exe	112
PID 4420 wrote to memory of 3408	4420	Megdccmb.exe	112
PID 3408 wrote to memory of 488	3408	Mplhql32.exe	113
PID 3408 wrote to memory of 488	3408	Mplhql32.exe	113
PID 3408 wrote to memory of 488	3408	Mplhql32.exe	113
PID 488 wrote to memory of 3704	488	Mmpijp32.exe	114
PID 488 wrote to memory of 3704	488	Mmpijp32.exe	114
PID 488 wrote to memory of 3704	488	Mmpijp32.exe	114
PID 3704 wrote to memory of 3952	3704	Mpoefk32.exe	115
PID 3704 wrote to memory of 3952	3704	Mpoefk32.exe	115
PID 3704 wrote to memory of 3952	3704	Mpoefk32.exe	115
PID 3952 wrote to memory of 1772	3952	Migjoaaf.exe	116
PID 3952 wrote to memory of 1772	3952	Migjoaaf.exe	116
PID 3952 wrote to memory of 1772	3952	Migjoaaf.exe	116
PID 1772 wrote to memory of 2636	1772	Mcpnhfhf.exe	117

C:\Users\Admin\AppData\Local\Temp\ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe
"C:\Users\Admin\AppData\Local\Temp\ac070a0344fe632cf2d8a06d7b1a8d3230bd4cc34917b2ca40c06cc209336047.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\Kbceejpf.exe
  C:\Windows\system32\Kbceejpf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\Klljnp32.exe
    C:\Windows\system32\Klljnp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Kfankifm.exe
      C:\Windows\system32\Kfankifm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        24⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        25⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        26⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        27⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        30⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        32⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        34⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        37⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        38⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        39⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        41⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        42⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        43⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        44⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        46⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        47⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        48⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        49⤵
        Executes dropped EXE
        
        PID:5228
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        50⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5356
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        54⤵
        Executes dropped EXE
        
        PID:5468
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        55⤵
        Executes dropped EXE
        
        PID:5508
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        56⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        58⤵
        Executes dropped EXE
        
        PID:5648
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        59⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        61⤵
        Executes dropped EXE
        
        PID:5768
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        62⤵
        Executes dropped EXE
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        63⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        64⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        65⤵
        Executes dropped EXE
        
        PID:5980
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        66⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        67⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        69⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        70⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        71⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        73⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        74⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        75⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        76⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        77⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        78⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        80⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        81⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        83⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        84⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        85⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        86⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        87⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        88⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Dahhio32.exe
        
        C:\Windows\system32\Dahhio32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Ehapfiem.exe
        
        C:\Windows\system32\Ehapfiem.exe
        90⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Eolhbc32.exe
        
        C:\Windows\system32\Eolhbc32.exe
        91⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Eajeon32.exe
        
        C:\Windows\system32\Eajeon32.exe
        92⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Eggmge32.exe
        
        C:\Windows\system32\Eggmge32.exe
        93⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Ekbihd32.exe
        
        C:\Windows\system32\Ekbihd32.exe
        94⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Ealadnik.exe
        
        C:\Windows\system32\Ealadnik.exe
        95⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ehfjah32.exe
        
        C:\Windows\system32\Ehfjah32.exe
        96⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Egijmegb.exe
        
        C:\Windows\system32\Egijmegb.exe
        97⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Emcbio32.exe
        
        C:\Windows\system32\Emcbio32.exe
        98⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Eaonjngh.exe
        
        C:\Windows\system32\Eaonjngh.exe
        99⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Eglgbdep.exe
        
        C:\Windows\system32\Eglgbdep.exe
        100⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Emeoooml.exe
        
        C:\Windows\system32\Emeoooml.exe
        101⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Eemgplno.exe
        
        C:\Windows\system32\Eemgplno.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ehkclgmb.exe
        
        C:\Windows\system32\Ehkclgmb.exe
        103⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Fdbdah32.exe
        
        C:\Windows\system32\Fdbdah32.exe
        104⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Fgppmd32.exe
        
        C:\Windows\system32\Fgppmd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Fnjhjn32.exe
        
        C:\Windows\system32\Fnjhjn32.exe
        106⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Feapkk32.exe
        
        C:\Windows\system32\Feapkk32.exe
        107⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Fgbmccpg.exe
        
        C:\Windows\system32\Fgbmccpg.exe
        108⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Fnmepn32.exe
        
        C:\Windows\system32\Fnmepn32.exe
        109⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        110⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Folaiqng.exe
        
        C:\Windows\system32\Folaiqng.exe
        111⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Fefjfked.exe
        
        C:\Windows\system32\Fefjfked.exe
        112⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Fhdfbfdh.exe
        
        C:\Windows\system32\Fhdfbfdh.exe
        113⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Fnaokmco.exe
        
        C:\Windows\system32\Fnaokmco.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        115⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        116⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Ghniielm.exe
        
        C:\Windows\system32\Ghniielm.exe
        117⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Gkleeplq.exe
        
        C:\Windows\system32\Gkleeplq.exe
        118⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Gafmaj32.exe
        
        C:\Windows\system32\Gafmaj32.exe
        119⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Gddinf32.exe
        
        C:\Windows\system32\Gddinf32.exe
        120⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        121⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Gojnko32.exe
        
        C:\Windows\system32\Gojnko32.exe
        122⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Gahjgj32.exe
        
        C:\Windows\system32\Gahjgj32.exe
        123⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Ghbbcd32.exe
        
        C:\Windows\system32\Ghbbcd32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Gkaopp32.exe
        
        C:\Windows\system32\Gkaopp32.exe
        125⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Hnoklk32.exe
        
        C:\Windows\system32\Hnoklk32.exe
        126⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Hffcmh32.exe
        
        C:\Windows\system32\Hffcmh32.exe
        127⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Hheoid32.exe
        
        C:\Windows\system32\Hheoid32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Hghoeqmp.exe
        
        C:\Windows\system32\Hghoeqmp.exe
        129⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        130⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Hhgloc32.exe
        
        C:\Windows\system32\Hhgloc32.exe
        131⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Hkehkocf.exe
        
        C:\Windows\system32\Hkehkocf.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Hbpphi32.exe
        
        C:\Windows\system32\Hbpphi32.exe
        133⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Hkhdqoac.exe
        
        C:\Windows\system32\Hkhdqoac.exe
        134⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Hbbmmi32.exe
        
        C:\Windows\system32\Hbbmmi32.exe
        135⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Hhlejcpm.exe
        
        C:\Windows\system32\Hhlejcpm.exe
        136⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Hkjafn32.exe
        
        C:\Windows\system32\Hkjafn32.exe
        137⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Hbdjchgn.exe
        
        C:\Windows\system32\Hbdjchgn.exe
        138⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Hhnbpb32.exe
        
        C:\Windows\system32\Hhnbpb32.exe
        139⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Inkjhi32.exe
        
        C:\Windows\system32\Inkjhi32.exe
        140⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Ikokan32.exe
        
        C:\Windows\system32\Ikokan32.exe
        141⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Ibicnh32.exe
        
        C:\Windows\system32\Ibicnh32.exe
        142⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Iickkbje.exe
        
        C:\Windows\system32\Iickkbje.exe
        143⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Iomcgl32.exe
        
        C:\Windows\system32\Iomcgl32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Ifgldfio.exe
        
        C:\Windows\system32\Ifgldfio.exe
        145⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Ikcdlmgf.exe
        
        C:\Windows\system32\Ikcdlmgf.exe
        146⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ibnligoc.exe
        
        C:\Windows\system32\Ibnligoc.exe
        147⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Igjeanmj.exe
        
        C:\Windows\system32\Igjeanmj.exe
        148⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Ioambknl.exe
        
        C:\Windows\system32\Ioambknl.exe
        149⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Ifleoe32.exe
        
        C:\Windows\system32\Ifleoe32.exe
        150⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Igmagnkg.exe
        
        C:\Windows\system32\Igmagnkg.exe
        151⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        152⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Jfnbdecg.exe
        
        C:\Windows\system32\Jfnbdecg.exe
        153⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Jilnqqbj.exe
        
        C:\Windows\system32\Jilnqqbj.exe
        154⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Joffnk32.exe
        
        C:\Windows\system32\Joffnk32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Jfpojead.exe
        
        C:\Windows\system32\Jfpojead.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Jgakbm32.exe
        
        C:\Windows\system32\Jgakbm32.exe
        157⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Jnkcogno.exe
        
        C:\Windows\system32\Jnkcogno.exe
        158⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Jgdhgmep.exe
        
        C:\Windows\system32\Jgdhgmep.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Jpkphjeb.exe
        
        C:\Windows\system32\Jpkphjeb.exe
        160⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Jfehed32.exe
        
        C:\Windows\system32\Jfehed32.exe
        161⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Jgfdmlcm.exe
        
        C:\Windows\system32\Jgfdmlcm.exe
        162⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Jfgdkd32.exe
        
        C:\Windows\system32\Jfgdkd32.exe
        163⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Jieagojp.exe
        
        C:\Windows\system32\Jieagojp.exe
        164⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Kldmckic.exe
        
        C:\Windows\system32\Kldmckic.exe
        165⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        166⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Kihnmohm.exe
        
        C:\Windows\system32\Kihnmohm.exe
        167⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Knefeffd.exe
        
        C:\Windows\system32\Knefeffd.exe
        168⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Kbpbed32.exe
        
        C:\Windows\system32\Kbpbed32.exe
        169⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Khmknk32.exe
        
        C:\Windows\system32\Khmknk32.exe
        170⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Kbbokdlk.exe
        
        C:\Windows\system32\Kbbokdlk.exe
        171⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Kimghn32.exe
        
        C:\Windows\system32\Kimghn32.exe
        172⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Klkcdj32.exe
        
        C:\Windows\system32\Klkcdj32.exe
        173⤵
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Knippe32.exe
        
        C:\Windows\system32\Knippe32.exe
        174⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Kbekqdjh.exe
        
        C:\Windows\system32\Kbekqdjh.exe
        175⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Kechmoil.exe
        
        C:\Windows\system32\Kechmoil.exe
        176⤵
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Kiodmn32.exe
        
        C:\Windows\system32\Kiodmn32.exe
        177⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Klmpiiai.exe
        
        C:\Windows\system32\Klmpiiai.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8112
        
        C:\Windows\SysWOW64\Knlleepl.exe
        
        C:\Windows\system32\Knlleepl.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Lidmhmnp.exe
        
        C:\Windows\system32\Lidmhmnp.exe
        180⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Llbidimc.exe
        
        C:\Windows\system32\Llbidimc.exe
        181⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Lfhnaa32.exe
        
        C:\Windows\system32\Lfhnaa32.exe
        182⤵
        Modifies registry class
        
        PID:7324
        
        C:\Windows\SysWOW64\Lhijijbg.exe
        
        C:\Windows\system32\Lhijijbg.exe
        183⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Lppbkgcj.exe
        
        C:\Windows\system32\Lppbkgcj.exe
        184⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Lemkcnaa.exe
        
        C:\Windows\system32\Lemkcnaa.exe
        185⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Lpbopfag.exe
        
        C:\Windows\system32\Lpbopfag.exe
        186⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Lflgmqhd.exe
        
        C:\Windows\system32\Lflgmqhd.exe
        187⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Lhncdi32.exe
        
        C:\Windows\system32\Lhncdi32.exe
        188⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lbchba32.exe
        
        C:\Windows\system32\Lbchba32.exe
        189⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Mhppji32.exe
        
        C:\Windows\system32\Mhppji32.exe
        190⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Mpghkf32.exe
        
        C:\Windows\system32\Mpghkf32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Mbedga32.exe
        
        C:\Windows\system32\Mbedga32.exe
        192⤵
        Modifies registry class
        
        PID:7992
        
        C:\Windows\SysWOW64\Medqcmki.exe
        
        C:\Windows\system32\Medqcmki.exe
        193⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Mpieqeko.exe
        
        C:\Windows\system32\Mpieqeko.exe
        194⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Mfcmmp32.exe
        
        C:\Windows\system32\Mfcmmp32.exe
        195⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Mhdjehhj.exe
        
        C:\Windows\system32\Mhdjehhj.exe
        196⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Mbjnbqhp.exe
        
        C:\Windows\system32\Mbjnbqhp.exe
        197⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Mehjol32.exe
        
        C:\Windows\system32\Mehjol32.exe
        198⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Moaogand.exe
        
        C:\Windows\system32\Moaogand.exe
        199⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Mleoafmn.exe
        
        C:\Windows\system32\Mleoafmn.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7700
        
        C:\Windows\SysWOW64\Mfjcnold.exe
        
        C:\Windows\system32\Mfjcnold.exe
        201⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Npchgdcd.exe
        
        C:\Windows\system32\Npchgdcd.exe
        202⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Noehba32.exe
        
        C:\Windows\system32\Noehba32.exe
        203⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Ngmpcn32.exe
        
        C:\Windows\system32\Ngmpcn32.exe
        204⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Npedmdab.exe
        
        C:\Windows\system32\Npedmdab.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7236
        
        C:\Windows\SysWOW64\Ngomin32.exe
        
        C:\Windows\system32\Ngomin32.exe
        206⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Nlleaeff.exe
        
        C:\Windows\system32\Nlleaeff.exe
        207⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Ngaionfl.exe
        
        C:\Windows\system32\Ngaionfl.exe
        208⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Nlnbgddc.exe
        
        C:\Windows\system32\Nlnbgddc.exe
        209⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Nchjdo32.exe
        
        C:\Windows\system32\Nchjdo32.exe
        210⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Nibbqicm.exe
        
        C:\Windows\system32\Nibbqicm.exe
        211⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Nlqomd32.exe
        
        C:\Windows\system32\Nlqomd32.exe
        212⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Ncjginjn.exe
        
        C:\Windows\system32\Ncjginjn.exe
        213⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Oidofh32.exe
        
        C:\Windows\system32\Oidofh32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Ocopdn32.exe
        
        C:\Windows\system32\Ocopdn32.exe
        215⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Oofaiokl.exe
        
        C:\Windows\system32\Oofaiokl.exe
        216⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        217⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Pleaoa32.exe
        
        C:\Windows\system32\Pleaoa32.exe
        218⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Podmkm32.exe
        
        C:\Windows\system32\Podmkm32.exe
        219⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Pfnegggi.exe
        
        C:\Windows\system32\Pfnegggi.exe
        220⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Qjlnnemp.exe
        
        C:\Windows\system32\Qjlnnemp.exe
        221⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Qoifflkg.exe
        
        C:\Windows\system32\Qoifflkg.exe
        222⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        223⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Qlmgopjq.exe
        
        C:\Windows\system32\Qlmgopjq.exe
        224⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Aokcklid.exe
        
        C:\Windows\system32\Aokcklid.exe
        225⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        226⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ahchda32.exe
        
        C:\Windows\system32\Ahchda32.exe
        227⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Aompak32.exe
        
        C:\Windows\system32\Aompak32.exe
        228⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Agdhbi32.exe
        
        C:\Windows\system32\Agdhbi32.exe
        229⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Amaqjp32.exe
        
        C:\Windows\system32\Amaqjp32.exe
        230⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        231⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Ackigjmh.exe
        
        C:\Windows\system32\Ackigjmh.exe
        232⤵
        Modifies registry class
        
        PID:8408
        
        C:\Windows\SysWOW64\Ajeadd32.exe
        
        C:\Windows\system32\Ajeadd32.exe
        233⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Aqoiqn32.exe
        
        C:\Windows\system32\Aqoiqn32.exe
        234⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Acnemi32.exe
        
        C:\Windows\system32\Acnemi32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8536
        
        C:\Windows\SysWOW64\Aqaffn32.exe
        
        C:\Windows\system32\Aqaffn32.exe
        236⤵
        Modifies registry class
        
        PID:8580
        
        C:\Windows\SysWOW64\Aglnbhal.exe
        
        C:\Windows\system32\Aglnbhal.exe
        237⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Aimkjp32.exe
        
        C:\Windows\system32\Aimkjp32.exe
        238⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8664
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        239⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Bqfoamfj.exe
        
        C:\Windows\system32\Bqfoamfj.exe
        240⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        241⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Bjcmebie.exe
        
        C:\Windows\system32\Bjcmebie.exe
        242⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        243⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Bjfjka32.exe
        
        C:\Windows\system32\Bjfjka32.exe
        244⤵
        Drops file in System32 directory
        
        PID:8920
        
        C:\Windows\SysWOW64\Cmdfgm32.exe
        
        C:\Windows\system32\Cmdfgm32.exe
        245⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Ccnncgmc.exe
        
        C:\Windows\system32\Ccnncgmc.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9012
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        247⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Cpeohh32.exe
        
        C:\Windows\system32\Cpeohh32.exe
        248⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Cimcan32.exe
        
        C:\Windows\system32\Cimcan32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9140
        
        C:\Windows\SysWOW64\Cpglnhad.exe
        
        C:\Windows\system32\Cpglnhad.exe
        250⤵
        Modifies registry class
        
        PID:9188
        
        C:\Windows\SysWOW64\Cjmpkqqj.exe
        
        C:\Windows\system32\Cjmpkqqj.exe
        251⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Caghhk32.exe
        
        C:\Windows\system32\Caghhk32.exe
        252⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        253⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Cjomap32.exe
        
        C:\Windows\system32\Cjomap32.exe
        254⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Cmniml32.exe
        
        C:\Windows\system32\Cmniml32.exe
        255⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Cpleig32.exe
        
        C:\Windows\system32\Cpleig32.exe
        256⤵
        Modifies registry class
        
        PID:8532
        
        C:\Windows\SysWOW64\Cjaifp32.exe
        
        C:\Windows\system32\Cjaifp32.exe
        257⤵
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Dmpfbk32.exe
        
        C:\Windows\system32\Dmpfbk32.exe
        258⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Dcjnoece.exe
        
        C:\Windows\system32\Dcjnoece.exe
        259⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        260⤵
        Modifies registry class
        
        PID:8888
        
        C:\Windows\SysWOW64\Diffglam.exe
        
        C:\Windows\system32\Diffglam.exe
        261⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        262⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Dhhfedil.exe
        
        C:\Windows\system32\Dhhfedil.exe
        263⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Dapkni32.exe
        
        C:\Windows\system32\Dapkni32.exe
        264⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        265⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Djhpgofm.exe
        
        C:\Windows\system32\Djhpgofm.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8300
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        267⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Djklmo32.exe
        
        C:\Windows\system32\Djklmo32.exe
        268⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        269⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        270⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ehcfaboo.exe
        
        C:\Windows\system32\Ehcfaboo.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8936
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        272⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        273⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Ehhpla32.exe
        
        C:\Windows\system32\Ehhpla32.exe
        274⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        275⤵
        Drops file in System32 directory
        
        PID:8436
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        276⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Epcdqd32.exe
        
        C:\Windows\system32\Epcdqd32.exe
        277⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Efmmmn32.exe
        
        C:\Windows\system32\Efmmmn32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9116
        
        C:\Windows\SysWOW64\Fmgejhgn.exe
        
        C:\Windows\system32\Fmgejhgn.exe
        279⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        280⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8932
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        282⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Fajgkfio.exe
        
        C:\Windows\system32\Fajgkfio.exe
        283⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Fggocmhf.exe
        
        C:\Windows\system32\Fggocmhf.exe
        284⤵
        Modifies registry class
        
        PID:9048
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        285⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Fpodlbng.exe
        
        C:\Windows\system32\Fpodlbng.exe
        286⤵
        Modifies registry class
        
        PID:8856
        
        C:\Windows\SysWOW64\Gaopfe32.exe
        
        C:\Windows\system32\Gaopfe32.exe
        287⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Ggkiol32.exe
        
        C:\Windows\system32\Ggkiol32.exe
        288⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        289⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Kbpkkn32.exe
        
        C:\Windows\system32\Kbpkkn32.exe
        290⤵
        Drops file in System32 directory
        
        PID:9376
        
        C:\Windows\SysWOW64\Kijchhbo.exe
        
        C:\Windows\system32\Kijchhbo.exe
        291⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Kkhpdcab.exe
        
        C:\Windows\system32\Kkhpdcab.exe
        292⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        293⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\Keqdmihc.exe
        
        C:\Windows\system32\Keqdmihc.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9568
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        295⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Kjmmepfj.exe
        
        C:\Windows\system32\Kjmmepfj.exe
        296⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        297⤵
        Modifies registry class
        
        PID:9688
        
        C:\Windows\SysWOW64\Kageaj32.exe
        
        C:\Windows\system32\Kageaj32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9740
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        299⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Kgamnded.exe
        
        C:\Windows\system32\Kgamnded.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9824
        
        C:\Windows\SysWOW64\Kjpijpdg.exe
        
        C:\Windows\system32\Kjpijpdg.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9872
        
        C:\Windows\SysWOW64\Lajagj32.exe
        
        C:\Windows\system32\Lajagj32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9920
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        303⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Lkofdbkj.exe
        
        C:\Windows\system32\Lkofdbkj.exe
        304⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10056
        
        C:\Windows\SysWOW64\Lalnmiia.exe
        
        C:\Windows\system32\Lalnmiia.exe
        306⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        307⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Ljdceo32.exe
        
        C:\Windows\system32\Ljdceo32.exe
        308⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Lankbigo.exe
        
        C:\Windows\system32\Lankbigo.exe
        309⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Lnbklm32.exe
        
        C:\Windows\system32\Lnbklm32.exe
        310⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        311⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        312⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lgkpdcmi.exe
        
        C:\Windows\system32\Lgkpdcmi.exe
        313⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        314⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        315⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        316⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        317⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        318⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9736
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        320⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Mjpbam32.exe
        
        C:\Windows\system32\Mjpbam32.exe
        321⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        322⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Majjng32.exe
        
        C:\Windows\system32\Majjng32.exe
        323⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Miaboe32.exe
        
        C:\Windows\system32\Miaboe32.exe
        324⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Mhdckaeo.exe
        
        C:\Windows\system32\Mhdckaeo.exe
        325⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        326⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Mbighjdd.exe
        
        C:\Windows\system32\Mbighjdd.exe
        327⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Mehcdfch.exe
        
        C:\Windows\system32\Mehcdfch.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        329⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Mblcnj32.exe
        
        C:\Windows\system32\Mblcnj32.exe
        330⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Mifljdjo.exe
        
        C:\Windows\system32\Mifljdjo.exe
        331⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Mldhfpib.exe
        
        C:\Windows\system32\Mldhfpib.exe
        332⤵
        Modifies registry class
        
        PID:9696
        
        C:\Windows\SysWOW64\Nbnpcj32.exe
        
        C:\Windows\system32\Nbnpcj32.exe
        333⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Nacmdf32.exe
        
        C:\Windows\system32\Nacmdf32.exe
        334⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Nhmeapmd.exe
        
        C:\Windows\system32\Nhmeapmd.exe
        335⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        336⤵
        Drops file in System32 directory
        
        PID:10088
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        337⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        338⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Oondnini.exe
        
        C:\Windows\system32\Oondnini.exe
        339⤵
        Drops file in System32 directory
        
        PID:9320
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        340⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Oidhlb32.exe
        
        C:\Windows\system32\Oidhlb32.exe
        341⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        342⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Ooqqdi32.exe
        
        C:\Windows\system32\Ooqqdi32.exe
        343⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        344⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9252
        
        C:\Windows\SysWOW64\Okjnnj32.exe
        
        C:\Windows\system32\Okjnnj32.exe
        346⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        347⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        348⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        349⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        350⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        351⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Plndcl32.exe
        
        C:\Windows\system32\Plndcl32.exe
        352⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        353⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Phedhmhi.exe
        
        C:\Windows\system32\Phedhmhi.exe
        354⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\Pkcadhgm.exe
        
        C:\Windows\system32\Pkcadhgm.exe
        355⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        356⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Phganm32.exe
        
        C:\Windows\system32\Phganm32.exe
        357⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        358⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Papfgbmg.exe
        
        C:\Windows\system32\Papfgbmg.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10392
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        360⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        361⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        362⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        363⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Ebejfk32.exe
        
        C:\Windows\system32\Ebejfk32.exe
        364⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10672
        
        C:\Windows\SysWOW64\Eiobceef.exe
        
        C:\Windows\system32\Eiobceef.exe
        366⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        367⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        368⤵
        Modifies registry class
        
        PID:10800
        
        C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        369⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        370⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        371⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        372⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        373⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        374⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11060
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        375⤵
        Drops file in System32 directory
        
        PID:11104
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        376⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        377⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        378⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        379⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Hbhijepa.exe
        
        C:\Windows\system32\Hbhijepa.exe
        380⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        381⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        382⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        383⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        384⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Icknfcol.exe
        
        C:\Windows\system32\Icknfcol.exe
        385⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        386⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        387⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        388⤵
        Drops file in System32 directory
        
        PID:10964
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        389⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        390⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        391⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        392⤵
        Drops file in System32 directory
        
        PID:10268
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        393⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        394⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        395⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Lmmolepp.exe
        
        C:\Windows\system32\Lmmolepp.exe
        396⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Lenicahg.exe
        
        C:\Windows\system32\Lenicahg.exe
        397⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        398⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        399⤵
        Modifies registry class
        
        PID:10288
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        400⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        401⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        402⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        403⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        404⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10824
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        405⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        406⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        407⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        408⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        409⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        410⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        411⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        412⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        413⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        414⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        415⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        416⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        417⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        418⤵
        Drops file in System32 directory
        
        PID:10468
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        419⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1896
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        420⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        421⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        422⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        423⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        424⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        425⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        426⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        427⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        428⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        429⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        430⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        431⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        432⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        433⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        434⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        435⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        436⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        437⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10416
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        438⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        439⤵
        Modifies registry class
        
        PID:10792
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        440⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        441⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        442⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        443⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        444⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        445⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        446⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        447⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        448⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        449⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        450⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        451⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        452⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        453⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        454⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        455⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        456⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        457⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        458⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        459⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        460⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        461⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        462⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        463⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        464⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        465⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        466⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        467⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        468⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        469⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        470⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        471⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        472⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        473⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        474⤵
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        475⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        476⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        477⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        478⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        479⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        480⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        481⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        482⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        483⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        484⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        485⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        486⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        487⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        488⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        489⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        490⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        491⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        492⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        493⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        494⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        495⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        496⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        497⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        498⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        499⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        500⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        501⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        502⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        503⤵
        
        PID:676
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        504⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        505⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        506⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        507⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        508⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        509⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        510⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        511⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        512⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        513⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        514⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        515⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2596
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        516⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        517⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        518⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        519⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        520⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        521⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        522⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        523⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        524⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        525⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        526⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        527⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        528⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        529⤵
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        530⤵
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        531⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        532⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        533⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        534⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        535⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        536⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        537⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        538⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        539⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        540⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        541⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        542⤵
        Modifies registry class
        
        PID:8156
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        543⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        544⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10464
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        546⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        547⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        548⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        549⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        550⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        551⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        552⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        553⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        554⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        555⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        556⤵
        
        PID:784
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        557⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        558⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        559⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        560⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        561⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        562⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        563⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        564⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        565⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        566⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        567⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        568⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        569⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        570⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        571⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        572⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        573⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        574⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        575⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        576⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        577⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        578⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        579⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        580⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        581⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        582⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        583⤵
        Drops file in System32 directory
        
        PID:8012
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        584⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        585⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        586⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7284
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        587⤵
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        588⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        589⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        590⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        591⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        592⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        593⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        594⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        595⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        596⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        597⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        598⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        599⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        600⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        601⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        602⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        603⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        604⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        605⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        606⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        607⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        608⤵
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        609⤵
        Modifies registry class
        
        PID:8412
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        610⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        611⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        612⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        613⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        614⤵
        Drops file in System32 directory
        
        PID:6628
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        615⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        616⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        617⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        618⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        619⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        620⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        621⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        622⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        623⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        624⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        625⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        626⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        627⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        628⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        629⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        630⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        631⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        632⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        633⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        634⤵
        Modifies registry class
        
        PID:8452
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        635⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        636⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8516
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        637⤵
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        638⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        639⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        640⤵
        Drops file in System32 directory
        
        PID:8928
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        641⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        642⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        643⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        644⤵
        Drops file in System32 directory
        
        PID:8692
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        645⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        646⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        647⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        648⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        649⤵
        Drops file in System32 directory
        
        PID:7732
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        650⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        651⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        652⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9208
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        653⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        654⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        655⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        656⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        657⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        658⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        659⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        660⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        661⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        662⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        663⤵
        Modifies registry class
        
        PID:8216
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        664⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        665⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        666⤵
        Drops file in System32 directory
        
        PID:8920
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        667⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        668⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2180
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        669⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        670⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        671⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        672⤵
        Drops file in System32 directory
        
        PID:8180
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        673⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        674⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        675⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        676⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9148
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        677⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        678⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        679⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        680⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        681⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        682⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        683⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        684⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        685⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        686⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        687⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        688⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8788
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        689⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8560
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        690⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        691⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        692⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        693⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        694⤵
        Drops file in System32 directory
        
        PID:9072
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        695⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        696⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        697⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        698⤵
        Drops file in System32 directory
        
        PID:9704
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        699⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        700⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        701⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        702⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        703⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        704⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        705⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        706⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        707⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        708⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        709⤵
        Modifies registry class
        
        PID:9612
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        710⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8664
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        711⤵
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        712⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        713⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        714⤵
        Modifies registry class
        
        PID:9816
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        715⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        716⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        717⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        718⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        719⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        720⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        721⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        722⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        723⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        724⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        725⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        726⤵
        Modifies registry class
        
        PID:8548
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        727⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        728⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        729⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        730⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        731⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        732⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        733⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        734⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        735⤵
        Drops file in System32 directory
        
        PID:9604
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        736⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        737⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        738⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        739⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        740⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        741⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        742⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        743⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        744⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        745⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        746⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        747⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        748⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        749⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        750⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        751⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        752⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        753⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        754⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        755⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        756⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        757⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        758⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        759⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        760⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        761⤵
        Modifies registry class
        
        PID:9972
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        762⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        763⤵
        Drops file in System32 directory
        
        PID:9768
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        764⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        765⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        766⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        767⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        768⤵
        Modifies registry class
        
        PID:10032
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        769⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9356
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        770⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        771⤵
        Drops file in System32 directory
        
        PID:9348
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        772⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        773⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        774⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        775⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        776⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        777⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        778⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        779⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        780⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        781⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        782⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        783⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        784⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        785⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        786⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        787⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10100 -s 420
        788⤵
        Program crash
        
        PID:11376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
1⤵
PID:7648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 10100 -ip 10100
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
72KB

MD5
5fdf4dd1a2c68d94e796a5a850058f44

SHA1
053eaa3e585a0aa11153db244e5f508a04918a4f

SHA256
2a56969e6816af6c02cbc6e6606e321d68d2d72781f9f420536934814121eaab

SHA512
64bbca855f8e195b1e75097f89a498de6834d0e284ac48598628d3cb4093e8b1a926b900faae2185f5e650437682899d49ec6bc22e96abc088270dd0785204fa

Download Submit
C:\Windows\SysWOW64\Aqoiqn32.exe

Filesize
72KB

MD5
7dfb00208af1062cb4e99933b0733b36

SHA1
039a2f5ea3b726bed888a911fa1854cb3e79d079

SHA256
33c2704533fda524c98b89e54474f1440c235a3f2e17f054f5319723129552e5

SHA512
abc36d0fa4c7d03c95a4ed9acb75281df62ff691586e7613facdcc6fdba3cf76128912c0c6758f1fb94f6e80ac580197128e5863cb79e9a84cee23093ee71bf7

Download Submit
C:\Windows\SysWOW64\Bjcmebie.exe

Filesize
72KB

MD5
ff676abc73fbda039b7d0504601eff43

SHA1
ba2a3e9765ccbcc9e4dc9965a45f99f9b4d33b72

SHA256
cf1e8336aaf74fae19275a659444d9a36dd4e13b5285cb44f35806ad2867af8d

SHA512
58f2a4300db6d93057cd34d48434ce17cb1c452988b133655587e7bf394f0f5131571890aacc8511c88258bc2cd2f74b7b99bb5f06dcf2adc237d8f0fe95ceaf

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
72KB

MD5
815d10f5bf70c33ed2451a8637ad3d45

SHA1
90ab383d48b0802d09ba7b7a7341813ac58e10cc

SHA256
5d3b69b0d1e4b30b3c31242868a571eb79866eeeec3ac74192c60f5ba4b02a5b

SHA512
a7d3aa33ff07049aaad3342de53d09c539d953f5368a026251f0fd948f6a57401eddae2803a2ee8ff8c309f38716373395f6855d193aeb34275bf50e57700919

Download Submit
C:\Windows\SysWOW64\Eppqqn32.exe

Filesize
72KB

MD5
badba991257ecf0152da7803d3936929

SHA1
e9632e4a0f1d25208ec336222da901592596ac35

SHA256
a7aea2163a889211ef2049b11f94c69408722b601a81124084d08855da15f077

SHA512
4d086189da84dfe45619b6a045b764f724fa1b9033073e9b2a44932fe91fe3e899068cef926eba866f29471d6a9bc97595e70021e51c0bfa98919e661e919d5b

Download Submit
C:\Windows\SysWOW64\Fmgejhgn.exe

Filesize
72KB

MD5
697a25e388d7381a5c78e1c7b231d037

SHA1
37518069a0626769e051fc79f539ab4ac76d9c86

SHA256
c842cd8bc81b806fd662884a007aa7ecba1b3bb9e6945a6c8d4c426dfd27c27d

SHA512
a5c88e08a38d8342ed5a54f6376a75840c9747746c1ce65aaf5cddab7c6ff8d9f11d6f0bd187674cd01f8074a1ab30395168feaeea7763b76a437074e204807a

Download Submit
C:\Windows\SysWOW64\Gnbinq32.dll

Filesize
7KB

MD5
90768b09a2673da1f5cc7d5447442fd5

SHA1
80c7743e1126fce382bc773cc45968988734a33d

SHA256
421a750ca37be6d246e459bbfd38d9cdcc83a7cc82ee67ebfacca7abff8b681f

SHA512
cb1fd82de05fbd205edbce385c58a60e7910057b7d91c7eff3a61c07e1a8ddedd8d565a92bf9f7a772208c96b9045d558ab8a68b39117d7e4865c2c9e6627a73

Download Submit
C:\Windows\SysWOW64\Jfnbdecg.exe

Filesize
72KB

MD5
e55cc44d5e7f346687e6983ff75cd19c

SHA1
164cb4674f1d37c065010deb473383e85c8f0d73

SHA256
f4ffb6959360f51cede70f01db9c744661cbe84dc936be440fe76081f271c468

SHA512
aa3a07dfc1e1d566662a22e1f1f4be7008d7b4e8f78be9484edc5c8b56ea95551fa3feafb007e0cfee5718e81cb67de2cbb76fbcbd476441ef348b0b1f41b4e8

Download Submit
C:\Windows\SysWOW64\Jnkcogno.exe

Filesize
72KB

MD5
41b8a6a330c83d89502c8deb80508abe

SHA1
058e8d58cc2c7db425d31f7e66a2b1ed210ee85d

SHA256
d629cf04e0b5616f9c0ac1b13ff558eb118bb9b2e6bb68fc1245f3902db3ddd4

SHA512
10976039142747149042e91a8c246f1d30c6186db51859f5143427d78d93368392d0086a05c922d8ff1180044342ac62f38f4c6454ac020a17eb5b9473653771

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
72KB

MD5
3a26f9cc8adca2d5659fb7f483d7614c

SHA1
8858b3a93da191c7de84cf38aff412db98421d97

SHA256
959d6d75974ea56913a4b77f408223851c3196bc2c763fcb898c882793020240

SHA512
faed148e5607f0bbf60546f33a1c61b990596b1b37578fa4c659245c87d6cb310bdc3e2284aab8a57c6350b36c8f007462825b36b42b821c462eaf0a12a61f8d

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
72KB

MD5
c5590a3773e8e264417d62d2e519d0f6

SHA1
21711bb74789e661755b7d10346f915b45c3927f

SHA256
39ff26bb2401ca17f6d739d97bad56cee6a9ea30892d128ac5c3f7de2c3d4d2b

SHA512
ac28fb3325e15671131a56c6679949049152f2dfacc2faf7ef27cd3882b60a8d1b79fac46673efd6223ca6a8ce3673c9bce331b7d1b891ed78f03ffb0759d7c0

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
72KB

MD5
c225bf2422759c6e59d2d9ad6b9e1f7b

SHA1
b12600b9d901d164196def0379cd591474b22987

SHA256
dc7b0b4d9290869356c0ca96ef0790c063cd8aee2f5923189d157eb53cca5d2a

SHA512
f0acae30848a0f4718c9cfdc11536530b4d9b12f4460c40fa1ecfb43f926c378ea41a7e0959b87b0caf10ae95cc62cde454c04383508db0838eed6b62fcac624

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
72KB

MD5
ed71bbd3364c5f546a45bd70433553b7

SHA1
fe7c999dda5a9e6b365e4f278f9557a95e02d09c

SHA256
4da3146f8719859f30a075f1b3ca63ceded0c64fddd1263f94fdb162d130f55b

SHA512
af9baa3715cfa78ce98905ce44a2fdd92236be45289c321f50156b94c79e676bfef361830ac7ce9905af846b7c1a6920307982d2bdaf3cd04d9604a9d58dd292

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
72KB

MD5
28045342ab45569ad9479f6a6ac59a81

SHA1
02b1512eb207bef8c38c9b426e506db3fde35e64

SHA256
bd79cbb07e3e75e1dbfddc47f1f13938345dbaac800f347550375f68d4f55d98

SHA512
ce707051265d5a2b9397f18c86a0eaeb4355af4cd40a8e95847a9f9d40c6a6d740a377478ce68cc1f81cf84bd14514fd3f1755f0595c925ceca1db554cb19f85

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
72KB

MD5
e8c246ca186d82aa8e0e82f1545c468d

SHA1
edfdbbe413cd3503bb6953226cddd55a758951a2

SHA256
608438db88281c080748a57bb710fa89a45b0ab94f5b5a8b9d5f7bb02fd42f97

SHA512
e78a7bea267cdc1cab2cb5e1581f56501ed53f1d9abdd7c89799dc3cb5c625a0eccdd6378319487e2b9d8b0ecf38c676d15ea6353d866aacfa219ebe34ad1f5b

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
72KB

MD5
c9afd5972299e4839e450a3bd3b5cdc7

SHA1
56f79584d6514d68a66bea44af0d25b122185a01

SHA256
90da5e4b2d10653bd35470e09cb01f36cb4a8a140848a224a7500f4f7c11a25d

SHA512
81ef82f68c64352b44781527a97e17409ea7df735e48348268137b790781d0877ceae340ec56a341635de70440fc9a8d04dbf658c6420c5f116215fb903359c0

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
72KB

MD5
03488dd8b44e8145b864e78deb2d947b

SHA1
4db1a8c5bb548abc9bcc85d10fb71d5f496999db

SHA256
ad8c1221665353e9efead663cdf575ddb59f6822605b9c5541b95ca810946b0c

SHA512
a1bd5f1505f42fdd17604784d668776e601e37b99a166b7835ab03420ae7404475f3f9f33b4acb862b2e5f62dd508d030be2c77eee8ea80e08d9f7a474059965

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
72KB

MD5
1e6983dea3bafcef829b8586170cbfd0

SHA1
06af54f8315ad49b02f875279ecfb46f704b1b26

SHA256
25e4ea901acc8b7e1ed5b1e0d67904acec81b9f357dbd720ad71e14ea0140ab0

SHA512
d210f9c67d4406e5a962f8467f7d2264cee74b6fdeaa5d1ea698a0d57153560217876137e1263aed4cfd44c5985ad71598b8b82012358e0a2139e45b6736d5ce

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
72KB

MD5
e04dab6bbd18146c3b3808b033e6243b

SHA1
d2f590067b8e976d9f2d8e2625300a093570391a

SHA256
eb5a26583d5fe2df345e9d95119164d13182cf047d36cc78f949929d1e8ed266

SHA512
e26626e222bde3dc0fb9290e09c30ceecca5e120ccfbc0877c4c3c5b8baf891acffc9fd70cc423c3a02769eaa59e7e864baa96959ab4bd368f33de39de625cfe

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
72KB

MD5
c5adbd423b586d83e2c02b5f44f881c0

SHA1
996f42c5421aa2cb700edbee12b2bae0042e14e7

SHA256
57cf35ac56d4d6a16a637b6c92404f5e87a07846decdde09d482f528438b4407

SHA512
2b4708c723053d8ec1a3cac467383fc8c0088e50b6991d8ac53c6bfc28ad33b81c85ba68f8ade8906ab7cd0ed4ec25e702a3663e9b5bd2dfb4736e3b829efc06

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
72KB

MD5
e32c10103f1a8f558be5111ae73038bf

SHA1
2fe8a5123134413df0a6f17b44e88217d40c9c73

SHA256
0b4ec1362ccc4390b89b5878928181eddad7b1e31225d8cd53c6867607a0b1c0

SHA512
d398219a2723d328c0511e6c04ce0b6f7da566cb2f858c0ff583b5739197c0f1d02c0021f833bb015afa8d689bdeaad1c316c54c9c0c23bc5de0ae30c732069c

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
72KB

MD5
0fccf3f47a60bb67b4ff0147018658d5

SHA1
2007aec241368c143847848920125ec6db25021a

SHA256
398fa94c78716a7993f1e123a748e8fe2d1ee0e2523c601afe83885904b4afcf

SHA512
548d2a2debcd0dd90892821e0d18d3fbfe058512a8c724c32c381fe3e8af4f0df14cc6fce4dd2d3e28903fe20c01642f7a86ef3c19d93b9f807ee922c5de3116

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
72KB

MD5
37bcdeec1e98cca66139f75da7a617c0

SHA1
a12d50c134338f8568b16bc293ae8d290c0787e1

SHA256
c5c26de0b5e50d806ace2cd2d9c74af3266340e7b8d882a9f6e3b5d47e004dab

SHA512
3627bb9bff2709796129ef47122dd015dde454cad191677e9b25db3a72603d42725a10b05a8336442d4213350365ff06f87eb4d5208dc86aa25e8296535e7dc8

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
72KB

MD5
89498875343290a3aef9d200ef2f0545

SHA1
9c17a2ae4d8705a99c6ddc75051e3c4a913cd273

SHA256
d26106519380786d334346c1d3a7c8bc0ec3b4ba995b5b1f110b35c80522f1af

SHA512
d0efaa5f9e48452160346a906dc96b9428ea53e6692f3a321074acf5d13af20513b9ae9f5390f7c68959e7522d0b437cfd84e12e4fb3e570dfb50e78c3b57628

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
72KB

MD5
92912311ba5bddf190de0997a0e2e7e0

SHA1
3076b52692aeec51fc0a019fc515647b84e8936e

SHA256
04785f085410ee26024b3670174fe5d5252bdc3e5aab1e86f63ea21109f7898b

SHA512
332f0a0b4d40817d50bc6766f705821556da54f7393db1cf5f6f6b10d25567b9e3bdc35a696f77d6dcd66bb28a523e9a4101c29a97a27d0a1ed84f06a088c696

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
72KB

MD5
144d012700c74b8abe89f7ab65886397

SHA1
bf97d88bf7fc9fb8ccf971090c5984dc1423c35e

SHA256
ccc0b1b795891f8b0ed7ad73f86f51a815ea7f4ce7c4aed7051a15608ead3ebe

SHA512
2345a822b047aef5e3b90b3ff5ae4b6a8f6793afd0d88be241dd3092909da31ce16da3e3657534d9fae68bdaedbead3fbbcfc52a7616df10946a5ae821d910cd

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
72KB

MD5
7a1d982c62480fbd5851ad8770571437

SHA1
62ffb455ce0b048d14d463b181327b9c6663ac1c

SHA256
9daafbda265cef736312157f25e43c215fa89f5ead4f5ec96cf4273e4d08aa3c

SHA512
d457670a37de0536a7f2e760edf6be0e5c3d8ccf92039810818f0d450d4c20ee7035df9214d0a607b13e9b318dea7c3ad4938ebd7ef45c91950b5fb7bdb0ee79

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
72KB

MD5
7a37145031788acf7a681dfe171df928

SHA1
2400faf5bdf433d269e7aa4030c8b874cd4b5fc1

SHA256
1987e1bd9524068c41af7ab58701a073441eb82e7dc76c80c031ba88884bde5e

SHA512
12bfe25c9c42c7024911e1b569b755b28c559c84ae9bf0a1429840c216f94e6deeaf7687687c2d43121960d94cb201f63a9ad5721b84653cfc36435869c14163

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
72KB

MD5
c6f2c712623f887a37fee36eeaca3987

SHA1
660dd4b1fcf29d5c95255c8bd7a5fc990462ac10

SHA256
6637740f6c83709c5656ebadf34519356b028146c1bef50f5e18a6c614ae3d93

SHA512
92c375c74847562d7005c2485ff7131767e9d0252555f8a51e7a7dd332baffa793c1886a385444c7dd582e2f91da96b0609117e0dcd4f52fa3ddb0465efd974f

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
72KB

MD5
7f98e01d5e2c3f0e4cc13b0d7e293487

SHA1
ad555ccf1c72f5cb85590823b36687c860392b19

SHA256
b0c1f6f092b1998da29f86e8d82772ba5286f4e8e2751975c5af80c40f8a3e9f

SHA512
fead03d8fdc93a382ccee39bb72de11eb79a46c7eb09614892da73121fe134995a6af123f8dbfe39582faef85f58fc30a280fba7e60bcb244c517c817b3a7daa

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
72KB

MD5
3a0dfd8def12266f36b45d21af41b178

SHA1
31cbc9c4c39d2ad92ac117cd804f8b81ba26be3f

SHA256
113252dccf25f637d1c4b843451f8e44601e75715c6f6bcef3b6bda201f4a80a

SHA512
121b1655e36ffa2b61c7393e82275b4b65bc201a5ef8387a1213110c490cf53afa80e8833d18cb36f99c6afc2fbc31ea99732a40246502eefd12822e2b4d980a

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
72KB

MD5
f7b479aa72b7e45716aab058601e2ae3

SHA1
4c7d8a6325639e9772c5e48470d443c7677f5d72

SHA256
a0dc573a74788386c12c4a189277f8a37f71b95c08f58d7b0ca480cfacca81ac

SHA512
987f4cee39fe65a73abba5ab3b71584419e367640c644e286733a5e92cd105f85dd07f8f79d3fa6b87e191c10e78eb70acbdd5295a32b2f4da9835a94b2d6a58

Download Submit
C:\Windows\SysWOW64\Nhmeapmd.exe

Filesize
72KB

MD5
b5eb7871cea945610ccbf730c109b53b

SHA1
6376be24662fb452d7b656ce2125b3fca06319a7

SHA256
9005d0fe54902bb2d05ef8cdb209242703468fbab2dcb6cd7eb864146a3b8f68

SHA512
32916ee0d1f7a55750dd3876c2a25ce22118ee4474a0f750cc9ab9d1ae8b16333af74b789a0677a9d5b930d95585cc8bd3a18eed98268e0675fa846ede115058

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
72KB

MD5
dd8f0bcef368efc80cb15aaaa08a964a

SHA1
6b43f4debff80fd6a15dc6a7c45150aa956debb7

SHA256
a543c8c7e9f925dff990eceb838e260339fdf0ca29bcaf06aef385258ac863e0

SHA512
692848999ee3028fbc3dd69b6c341e053f35d3c4aa2edd95f61d98889b82c38858f4b7cbf3eaf65d02335abfdef9a9d774cfe6e31bf74f73e2b805d3009d4533

Download Submit
C:\Windows\SysWOW64\Olijhmgj.exe

Filesize
72KB

MD5
4bdf45ea4a9cfa777de0b04530d5e4e2

SHA1
96c75bd4a0a01b1f6842eb023966500fd06ece79

SHA256
7fdd2b5e373b8c494d02b58f7ef61a77cfea0d1e67f5ccb6e3b98a78fa144ca7

SHA512
2c7d3ceeed12049e51f87f118851c84f1aa5e8d9fe8fe2f4464b31d9a8bdc275002087f873281eec57dba2fec8a4f0ab4d44bb3b76683f10286330702065d9a7

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
72KB

MD5
26810c1abc44cccc3ff6274b049923d3

SHA1
2ce7a1d59d359d8e3508794a919a5319b1a3f73a

SHA256
581130076b053be62c33ff80137408f9c8492d78dc9d048696adb72402dc7f77

SHA512
ebecbcd7d18ce96b57cbd0f035c8e40bd3e8d4e1fd46992098b50baa2ecf42f3dddcdb13b9c3785efa22d37790f33ca1920f5f8e20c085cc6b99ca8145e037fb

Download Submit
C:\Windows\SysWOW64\Oofaiokl.exe

Filesize
72KB

MD5
94d4840a929a741fed71b2b6ac75405b

SHA1
644f9327e7c7735481f03f659c5010ebc7c10147

SHA256
98cba74d5b15b155d803f65ec6d79256bbff4d774b831e27c5fc5921fc4ce694

SHA512
85eb8f6dda78da8ed10e0b2d2d7b9ea4970eecc7e0d89ad096e82d1c6dae082793b829edffe2039c1ed3f447287bf7b6259412979e91cc84f4820002e3c30fb4

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
72KB

MD5
cc9ec5f68343f852e6c06eed89b22fe5

SHA1
5090a166eba86427e080f8a50cd474a97b753ccd

SHA256
b7bde5fe987912390df21b883b21e37eadf392d6730290744314520a60326d2d

SHA512
876b5a38e16f9589730f8aa42d6f7f00b509a421219a10046f8106f41a238233992d0d387decdb05e7053e561e0557e1e2db7d016cf793a9f981bdf908505dff

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
72KB

MD5
c64fc3cf227b621260625eaf4a182692

SHA1
252db1130a603e7c6b18a08c5833b382beeca0ea

SHA256
421c08567fd18e01ce01fa5320da7d580bdfef9d3f0144c586e869ecb2365d53

SHA512
20960394027f4fded7c74c5518383b30571d4dc2a6abc305cb06bbe6dd683bd29d041aeb9675abd216e381112ac79f8323fbce9f07fde6567e8f0e43a596ddb6

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
72KB

MD5
1b1981991955d8603f42d752ca7c671e

SHA1
be0d2572f958095671f8dc05603a251a97793618

SHA256
755bf7bec83c8ddf552add68971123c1723ad384b83eddeda3b120c22e982309

SHA512
a4211e4081f6fc8a486fd5a5ad8958fd8b4c836aee56b7e2cfd5f20ee9f26163979086f99ce00a7558b53bf2de630e52b93e6e50e2af61b0e162c7bf9c16c104

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
72KB

MD5
8e7d1855fc14fa0c006f13d521913567

SHA1
d39fd95240ca358dcada3756fba4d5690362f15b

SHA256
ecc4fe1a6a91d46671bfbbb7a0eea5bff6752451f84abb0691cf2230bafd4211

SHA512
97395e877ac8f00f6c2eea3b654e8d4aacc8a15e99ee64285012bf750e370767d8ff842a3a9064fb4c428a87d6f6b708565725f47ad986ea78c879db5d725fef

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
72KB

MD5
3a497f21152e6788acfdaf0a2e0d4af2

SHA1
4edb0b902992c2cece396510f461f0710e92db17

SHA256
fdd61925c55020b33740cded4b4bd238a0c8c270a379f3380970480b5c714410

SHA512
74dd9970881ada6ceeb91783837fec96035bb7b906acd93b88a2c8ac00cc324fcdb5e40d397257fb37132bcae591c4db19e78b2c7c904814394a3597421e2f08

Download Submit
C:\Windows\SysWOW64\Pleaoa32.exe

Filesize
72KB

MD5
12a4fc88f90f5349d639d6923c67a21a

SHA1
6a46d828260afa0979b814788940618502915810

SHA256
028932f3164be34a8832575999cd897efefc955bcff44a274763eaa187152699

SHA512
1d441caeaa37c9a33fb79a902db0171674473b440161c7baeac57558167c8e7f05e2df93aaef2d356a7da66912df2eb6f88b841fc45edc0553369d34eabec52d

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
72KB

MD5
1b4c151d0e838479136ade8ccb1cfe7b

SHA1
7df5a0d2e4d7030759a6b91de940f9cf6ca67561

SHA256
defe616300a8ee4d92aef93bf48d1adabb78caab13303fa8a423c04003f7f85d

SHA512
6720eb47a12bd3455aecc101dab50c0b9c9574116e6cc72c0889a2d54bc12205aee4cca6e7e9ca654a3496b8724a1d64b4c7bf60ff3ec823c81b35cb72235341

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
72KB

MD5
91a39f2965a66f7496eb599a902b675d

SHA1
f504f0680e2fc2a37746ee2cc008897edb404371

SHA256
9cc5b8bb8bd9a50219fd8f6a85d0330d854bd4eef281d61b9b8927661d1d674d

SHA512
11c7708caa6c17bb26c16cacf514f4ccca6f30c944247982a3e3202c73dae7c57cad975470530cbf874af3b1399f0071305e8f809e6c3b66f1eda9324f592cae

Download Submit
C:\Windows\SysWOW64\Qjlnnemp.exe

Filesize
72KB

MD5
3c9b2c34aff4ad94f3a4ae43b3107f7b

SHA1
132f2beeeb453af7c45d545318364b31c5aba34e

SHA256
2f3aef731b18ddd2e5d731fd6ac8f3bcd88289bfd73d4753e49f52a9ea33a921

SHA512
6eaacfa567dbf6ec9a1e4d1ebff69142181adc20b85ad1c274e81d3f69b0d27c6293a9e6a18ae53823112a77a573afe424cd543e9bc3cdc27e0d200360f420ee

Download Submit
memory/212-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/488-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5316-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5412-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5468-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5508-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5548-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5648-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5688-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5728-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5888-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5932-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads