b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe
Size

208KB
MD5

e4392aecd8b392d529aa051d1419bbcc
SHA1

70b722df216c32bc6375dcf20ad19756f5b4d3cd
SHA256

b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e
SHA512

32445ac10a4267974c09598b8008cfff5a387ec2424c4605572c155b3edf7ee6d56c7a8c8b7e858e5701e03cdfbd231c05f493607554851f3f271f1f1a4ed9fd
SSDEEP

3072:EyiGcEjFO0SWHDIbznTdQGPxj6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:EyiCjFseIbzdPxO+Eu6QnFw5+0pU8b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikaggmii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpfjma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkpdcmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmechmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epagkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fihnomjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opadhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbiip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnnjmbpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhkgoiqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggeboaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbbokdlk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqkigkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efepbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjimhnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jghabl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhlgfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fonnop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdoihpbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akffafgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoaojp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfpbmfdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhfkopc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fiaael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jilfifme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oldamm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbdikip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pibdmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbbmmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkpdcmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhoqeibl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe

Executes dropped EXE 64 IoCs

pid	Process
2428	Gomakdcp.exe
924	Gdjjckag.exe
4948	Hfifmnij.exe
1396	Hcmgfbhd.exe
1360	Hijooifk.exe
4276	Hbbdholl.exe
1072	Himldi32.exe
4832	Hfqlnm32.exe
4888	Iefioj32.exe
2372	Iicbehnq.exe
2908	Ikbnacmd.exe
2924	Iblfnn32.exe
4688	Ippggbck.exe
3608	Ieolehop.exe
3884	Ibcmom32.exe
3976	Jcbihpel.exe
1148	Jcefno32.exe
1656	Jlpkba32.exe
3788	Jehokgge.exe
2288	Jpnchp32.exe
1724	Jcllonma.exe
464	Kmdqgd32.exe
1416	Kdcbom32.exe
4124	Kipkhdeq.exe
5000	Kpjcdn32.exe
1912	Lffhfh32.exe
3264	Lfhdlh32.exe
4940	Lfkaag32.exe
4232	Ldoaklml.exe
4668	Lepncd32.exe
4036	Ldanqkki.exe
840	Mbfkbhpa.exe
944	Mipcob32.exe
4512	Megdccmb.exe
3896	Mlcifmbl.exe
1408	Mcmabg32.exe
4816	Migjoaaf.exe
2216	Mcpnhfhf.exe
3860	Ngmgne32.exe
1172	Nljofl32.exe
232	Ndaggimg.exe
4756	Nebdoa32.exe
3656	Nlmllkja.exe
3508	Ndcdmikd.exe
3876	Njqmepik.exe
2572	Ndfqbhia.exe
1992	Njciko32.exe
4212	Nckndeni.exe
1756	Odkjng32.exe
2536	Oflgep32.exe
1476	Olfobjbg.exe
1896	Ofnckp32.exe
2852	Olhlhjpd.exe
940	Ognpebpj.exe
3764	Olkhmi32.exe
1076	Ojoign32.exe
4496	Pnlaml32.exe
1996	Pdfjifjo.exe
4916	Pgefeajb.exe
3600	Pqmjog32.exe
684	Pnakhkol.exe
4632	Pqpgdfnp.exe
1964	Pflplnlg.exe
4600	Pdmpje32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Hoogfnnb.exe	Hdicienl.exe
File opened for modification	C:\Windows\SysWOW64\Lbchba32.exe	Leoghn32.exe
File opened for modification	C:\Windows\SysWOW64\Oodcdb32.exe	Oobfob32.exe
File created	C:\Windows\SysWOW64\Ehcplf32.dll	Dnpdegjp.exe
File created	C:\Windows\SysWOW64\Hiilcp32.dll	Pkenjh32.exe
File opened for modification	C:\Windows\SysWOW64\Adjjeieh.exe	Aalmimfd.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bgpgng32.exe	Bmkcqn32.exe
File created	C:\Windows\SysWOW64\Epagkd32.exe	Eigonjcj.exe
File created	C:\Windows\SysWOW64\Lehhlb32.dll	Idghpmnp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Olijhmgj.exe	Obafpg32.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Klkcdj32.exe	Keakgpko.exe
File opened for modification	C:\Windows\SysWOW64\Lldfjh32.exe	Lifjnm32.exe
File created	C:\Windows\SysWOW64\Klobfk32.dll	Ahqddk32.exe
File created	C:\Windows\SysWOW64\Injmcmej.exe	Icdheded.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Ahqddk32.exe	Qebhhp32.exe
File created	C:\Windows\SysWOW64\Bfgjjm32.exe	Bcinna32.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Podbibma.dll	Biiobo32.exe
File created	C:\Windows\SysWOW64\Gmdcfidg.exe	Gemkelcd.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Piapkbeg.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Fmlneg32.exe	Fknbil32.exe
File created	C:\Windows\SysWOW64\Jhlgfj32.exe	Jbaojpgb.exe
File opened for modification	C:\Windows\SysWOW64\Oblmdhdo.exe	Okedcjcm.exe
File opened for modification	C:\Windows\SysWOW64\Pkhjph32.exe	Phincl32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Igcnla32.dll	Hiipmhmk.exe
File opened for modification	C:\Windows\SysWOW64\Ggkiol32.exe	Gpaqbbld.exe
File created	C:\Windows\SysWOW64\Cmakeiil.dll	Nafjjf32.exe
File created	C:\Windows\SysWOW64\Efhlhh32.exe	Epndknin.exe
File created	C:\Windows\SysWOW64\Fneggdhg.exe	Flfkkhid.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Jknfplei.dll	Gaadfkgc.exe
File created	C:\Windows\SysWOW64\Fpjjac32.exe	Fmlneg32.exe
File created	C:\Windows\SysWOW64\Iahqoq32.dll	Afkknogn.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	Mmhgmmbf.exe
File opened for modification	C:\Windows\SysWOW64\Mlbbkfoq.exe	Midfokpm.exe
File created	C:\Windows\SysWOW64\Dpabql32.dll	Hjchaf32.exe
File created	C:\Windows\SysWOW64\Emphocjj.exe	Efepbi32.exe
File created	C:\Windows\SysWOW64\Pijmiq32.dll	Kpanan32.exe
File created	C:\Windows\SysWOW64\Nqmfdj32.exe	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Knbiofhg.exe	Jghabl32.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pmiikh32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhqcgnk.exe	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Jbgoof32.exe	Jecofa32.exe
File opened for modification	C:\Windows\SysWOW64\Pedbahod.exe	Ookjdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pcobaedj.exe	Pkhjph32.exe
File created	C:\Windows\SysWOW64\Gnbcohkd.dll	Emphocjj.exe
File created	C:\Windows\SysWOW64\Lqkqhm32.exe	Lfeljd32.exe
File opened for modification	C:\Windows\SysWOW64\Lnoaaaad.exe	Lfgipd32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Afghneoo.exe	Acilajpk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10660	10372	WerFault.exe	1022

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfggeba.dll"	Emmkiclm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlglidlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgjljpkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Folaiqng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emnbdioi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgghjjid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knkekn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dckdjomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlkepaam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acmobchj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgigo32.dll"	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idgojc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afghneoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll"	Ghpocngo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnpofnhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cihclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohjlgefb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpjjac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oehlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoaojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookjdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpnihiio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaddoaap.dll"	Fibojhim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igdgglfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignmpke.dll"	Ibnligoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iggaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhniccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfjphid.dll"	Fpodlbng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gochjpho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpkld32.dll"	Afappe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkmnpkk.dll"	Ahfdjanb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiibaffb.dll"	Cbbnpg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2428	3104	b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe	90
PID 3104 wrote to memory of 2428	3104	b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe	90
PID 3104 wrote to memory of 2428	3104	b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe	90
PID 2428 wrote to memory of 924	2428	Gomakdcp.exe	91
PID 2428 wrote to memory of 924	2428	Gomakdcp.exe	91
PID 2428 wrote to memory of 924	2428	Gomakdcp.exe	91
PID 924 wrote to memory of 4948	924	Gdjjckag.exe	93
PID 924 wrote to memory of 4948	924	Gdjjckag.exe	93
PID 924 wrote to memory of 4948	924	Gdjjckag.exe	93
PID 4948 wrote to memory of 1396	4948	Hfifmnij.exe	94
PID 4948 wrote to memory of 1396	4948	Hfifmnij.exe	94
PID 4948 wrote to memory of 1396	4948	Hfifmnij.exe	94
PID 1396 wrote to memory of 1360	1396	Hcmgfbhd.exe	95
PID 1396 wrote to memory of 1360	1396	Hcmgfbhd.exe	95
PID 1396 wrote to memory of 1360	1396	Hcmgfbhd.exe	95
PID 1360 wrote to memory of 4276	1360	Hijooifk.exe	96
PID 1360 wrote to memory of 4276	1360	Hijooifk.exe	96
PID 1360 wrote to memory of 4276	1360	Hijooifk.exe	96
PID 4276 wrote to memory of 1072	4276	Hbbdholl.exe	97
PID 4276 wrote to memory of 1072	4276	Hbbdholl.exe	97
PID 4276 wrote to memory of 1072	4276	Hbbdholl.exe	97
PID 1072 wrote to memory of 4832	1072	Himldi32.exe	98
PID 1072 wrote to memory of 4832	1072	Himldi32.exe	98
PID 1072 wrote to memory of 4832	1072	Himldi32.exe	98
PID 4832 wrote to memory of 4888	4832	Hfqlnm32.exe	99
PID 4832 wrote to memory of 4888	4832	Hfqlnm32.exe	99
PID 4832 wrote to memory of 4888	4832	Hfqlnm32.exe	99
PID 4888 wrote to memory of 2372	4888	Iefioj32.exe	101
PID 4888 wrote to memory of 2372	4888	Iefioj32.exe	101
PID 4888 wrote to memory of 2372	4888	Iefioj32.exe	101
PID 2372 wrote to memory of 2908	2372	Iicbehnq.exe	102
PID 2372 wrote to memory of 2908	2372	Iicbehnq.exe	102
PID 2372 wrote to memory of 2908	2372	Iicbehnq.exe	102
PID 2908 wrote to memory of 2924	2908	Ikbnacmd.exe	103
PID 2908 wrote to memory of 2924	2908	Ikbnacmd.exe	103
PID 2908 wrote to memory of 2924	2908	Ikbnacmd.exe	103
PID 2924 wrote to memory of 4688	2924	Iblfnn32.exe	104
PID 2924 wrote to memory of 4688	2924	Iblfnn32.exe	104
PID 2924 wrote to memory of 4688	2924	Iblfnn32.exe	104
PID 4688 wrote to memory of 3608	4688	Ippggbck.exe	105
PID 4688 wrote to memory of 3608	4688	Ippggbck.exe	105
PID 4688 wrote to memory of 3608	4688	Ippggbck.exe	105
PID 3608 wrote to memory of 3884	3608	Ieolehop.exe	107
PID 3608 wrote to memory of 3884	3608	Ieolehop.exe	107
PID 3608 wrote to memory of 3884	3608	Ieolehop.exe	107
PID 3884 wrote to memory of 3976	3884	Ibcmom32.exe	108
PID 3884 wrote to memory of 3976	3884	Ibcmom32.exe	108
PID 3884 wrote to memory of 3976	3884	Ibcmom32.exe	108
PID 3976 wrote to memory of 1148	3976	Jcbihpel.exe	109
PID 3976 wrote to memory of 1148	3976	Jcbihpel.exe	109
PID 3976 wrote to memory of 1148	3976	Jcbihpel.exe	109
PID 1148 wrote to memory of 1656	1148	Jcefno32.exe	110
PID 1148 wrote to memory of 1656	1148	Jcefno32.exe	110
PID 1148 wrote to memory of 1656	1148	Jcefno32.exe	110
PID 1656 wrote to memory of 3788	1656	Jlpkba32.exe	111
PID 1656 wrote to memory of 3788	1656	Jlpkba32.exe	111
PID 1656 wrote to memory of 3788	1656	Jlpkba32.exe	111
PID 3788 wrote to memory of 2288	3788	Jehokgge.exe	112
PID 3788 wrote to memory of 2288	3788	Jehokgge.exe	112
PID 3788 wrote to memory of 2288	3788	Jehokgge.exe	112
PID 2288 wrote to memory of 1724	2288	Jpnchp32.exe	113
PID 2288 wrote to memory of 1724	2288	Jpnchp32.exe	113
PID 2288 wrote to memory of 1724	2288	Jpnchp32.exe	113
PID 1724 wrote to memory of 464	1724	Jcllonma.exe	114

C:\Users\Admin\AppData\Local\Temp\b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe
"C:\Users\Admin\AppData\Local\Temp\b5863a29eb4192f190c976bb01dc5eb1fce34cc971502998bf3020f66efebc5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\Gomakdcp.exe
  C:\Windows\system32\Gomakdcp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\Gdjjckag.exe
    C:\Windows\system32\Gdjjckag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\Hfifmnij.exe
      C:\Windows\system32\Hfifmnij.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        23⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        25⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        26⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        27⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        28⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        30⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        33⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        34⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        35⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        37⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        38⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        39⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        40⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        41⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        42⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        43⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        44⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        45⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        46⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        47⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        48⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        49⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        50⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        53⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        54⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        55⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        56⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        57⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        59⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        60⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        61⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        62⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        64⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        66⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        67⤵
        
        PID:500
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        68⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        69⤵
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        70⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        72⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        75⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        76⤵
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        79⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        80⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        81⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        82⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        83⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        84⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        86⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        87⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        88⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        89⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        90⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        91⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        94⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        95⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        98⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        99⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        100⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        101⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        102⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        103⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        104⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        105⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        106⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        107⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        108⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        109⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        112⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        113⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        114⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        115⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        116⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        117⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Dahhio32.exe
        
        C:\Windows\system32\Dahhio32.exe
        119⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Edfdej32.exe
        
        C:\Windows\system32\Edfdej32.exe
        120⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Ekpmbddq.exe
        
        C:\Windows\system32\Ekpmbddq.exe
        121⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ehdmlhcj.exe
        
        C:\Windows\system32\Ehdmlhcj.exe
        122⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Eonehbjg.exe
        
        C:\Windows\system32\Eonehbjg.exe
        123⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Eaonjngh.exe
        
        C:\Windows\system32\Eaonjngh.exe
        124⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Edmjfifl.exe
        
        C:\Windows\system32\Edmjfifl.exe
        125⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Ekgbccni.exe
        
        C:\Windows\system32\Ekgbccni.exe
        126⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Emeoooml.exe
        
        C:\Windows\system32\Emeoooml.exe
        127⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Eemgplno.exe
        
        C:\Windows\system32\Eemgplno.exe
        128⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Ehkclgmb.exe
        
        C:\Windows\system32\Ehkclgmb.exe
        129⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ekiohclf.exe
        
        C:\Windows\system32\Ekiohclf.exe
        130⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Emhldnkj.exe
        
        C:\Windows\system32\Emhldnkj.exe
        131⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Fhmpagkp.exe
        
        C:\Windows\system32\Fhmpagkp.exe
        132⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Fkllnbjc.exe
        
        C:\Windows\system32\Fkllnbjc.exe
        133⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Fafdkmap.exe
        
        C:\Windows\system32\Fafdkmap.exe
        134⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Fgbmccpg.exe
        
        C:\Windows\system32\Fgbmccpg.exe
        135⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Fnmepn32.exe
        
        C:\Windows\system32\Fnmepn32.exe
        136⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        137⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Folaiqng.exe
        
        C:\Windows\system32\Folaiqng.exe
        138⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Fdijbg32.exe
        
        C:\Windows\system32\Fdijbg32.exe
        139⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Fonnop32.exe
        
        C:\Windows\system32\Fonnop32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        141⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Fgjccb32.exe
        
        C:\Windows\system32\Fgjccb32.exe
        142⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Fnckpmql.exe
        
        C:\Windows\system32\Fnckpmql.exe
        143⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Gdncmghi.exe
        
        C:\Windows\system32\Gdncmghi.exe
        144⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Gochjpho.exe
        
        C:\Windows\system32\Gochjpho.exe
        145⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Gaadfkgc.exe
        
        C:\Windows\system32\Gaadfkgc.exe
        146⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Ghklce32.exe
        
        C:\Windows\system32\Ghklce32.exe
        147⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Goedpofl.exe
        
        C:\Windows\system32\Goedpofl.exe
        148⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Gadqlkep.exe
        
        C:\Windows\system32\Gadqlkep.exe
        149⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ggqida32.exe
        
        C:\Windows\system32\Ggqida32.exe
        150⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Gafmaj32.exe
        
        C:\Windows\system32\Gafmaj32.exe
        151⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Gddinf32.exe
        
        C:\Windows\system32\Gddinf32.exe
        152⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Gkobjpin.exe
        
        C:\Windows\system32\Gkobjpin.exe
        153⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Gdgfce32.exe
        
        C:\Windows\system32\Gdgfce32.exe
        154⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Ggeboaob.exe
        
        C:\Windows\system32\Ggeboaob.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Hnoklk32.exe
        
        C:\Windows\system32\Hnoklk32.exe
        156⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Hdicienl.exe
        
        C:\Windows\system32\Hdicienl.exe
        157⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Hoogfnnb.exe
        
        C:\Windows\system32\Hoogfnnb.exe
        158⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        159⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Hgjljpkm.exe
        
        C:\Windows\system32\Hgjljpkm.exe
        160⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Hfklhhcl.exe
        
        C:\Windows\system32\Hfklhhcl.exe
        161⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Hhihdcbp.exe
        
        C:\Windows\system32\Hhihdcbp.exe
        162⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Hbbmmi32.exe
        
        C:\Windows\system32\Hbbmmi32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Hhlejcpm.exe
        
        C:\Windows\system32\Hhlejcpm.exe
        164⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Hninbj32.exe
        
        C:\Windows\system32\Hninbj32.exe
        165⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Hdbfodfa.exe
        
        C:\Windows\system32\Hdbfodfa.exe
        166⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Hgabkoee.exe
        
        C:\Windows\system32\Hgabkoee.exe
        167⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Inmgmijo.exe
        
        C:\Windows\system32\Inmgmijo.exe
        168⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Ibicnh32.exe
        
        C:\Windows\system32\Ibicnh32.exe
        169⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Idgojc32.exe
        
        C:\Windows\system32\Idgojc32.exe
        170⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Ikaggmii.exe
        
        C:\Windows\system32\Ikaggmii.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        172⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Idjlpc32.exe
        
        C:\Windows\system32\Idjlpc32.exe
        173⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ighhln32.exe
        
        C:\Windows\system32\Ighhln32.exe
        174⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ibnligoc.exe
        
        C:\Windows\system32\Ibnligoc.exe
        175⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Ieliebnf.exe
        
        C:\Windows\system32\Ieliebnf.exe
        176⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Igjeanmj.exe
        
        C:\Windows\system32\Igjeanmj.exe
        177⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Indmnh32.exe
        
        C:\Windows\system32\Indmnh32.exe
        178⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Igmagnkg.exe
        
        C:\Windows\system32\Igmagnkg.exe
        179⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        180⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        181⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Jnifigpa.exe
        
        C:\Windows\system32\Jnifigpa.exe
        182⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Jbgoof32.exe
        
        C:\Windows\system32\Jbgoof32.exe
        184⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Jiaglp32.exe
        
        C:\Windows\system32\Jiaglp32.exe
        185⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        186⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Jfehed32.exe
        
        C:\Windows\system32\Jfehed32.exe
        187⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Jgfdmlcm.exe
        
        C:\Windows\system32\Jgfdmlcm.exe
        188⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Jnpmjf32.exe
        
        C:\Windows\system32\Jnpmjf32.exe
        189⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Jfgdkd32.exe
        
        C:\Windows\system32\Jfgdkd32.exe
        190⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Jghabl32.exe
        
        C:\Windows\system32\Jghabl32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        192⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Kfjapcii.exe
        
        C:\Windows\system32\Kfjapcii.exe
        193⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Klfjijgq.exe
        
        C:\Windows\system32\Klfjijgq.exe
        194⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Knefeffd.exe
        
        C:\Windows\system32\Knefeffd.exe
        195⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Kflnfcgg.exe
        
        C:\Windows\system32\Kflnfcgg.exe
        196⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Khmknk32.exe
        
        C:\Windows\system32\Khmknk32.exe
        197⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Kpdboimg.exe
        
        C:\Windows\system32\Kpdboimg.exe
        198⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Kbbokdlk.exe
        
        C:\Windows\system32\Kbbokdlk.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7836
        
        C:\Windows\SysWOW64\Keakgpko.exe
        
        C:\Windows\system32\Keakgpko.exe
        200⤵
        Drops file in System32 directory
        
        PID:7892
        
        C:\Windows\SysWOW64\Klkcdj32.exe
        
        C:\Windows\system32\Klkcdj32.exe
        201⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Khbdikip.exe
        
        C:\Windows\system32\Khbdikip.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7984
        
        C:\Windows\SysWOW64\Knlleepl.exe
        
        C:\Windows\system32\Knlleepl.exe
        203⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Kefdbo32.exe
        
        C:\Windows\system32\Kefdbo32.exe
        204⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Lhdqnj32.exe
        
        C:\Windows\system32\Lhdqnj32.exe
        205⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        206⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Lfealaol.exe
        
        C:\Windows\system32\Lfealaol.exe
        207⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Llbidimc.exe
        
        C:\Windows\system32\Llbidimc.exe
        208⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Lblaabdp.exe
        
        C:\Windows\system32\Lblaabdp.exe
        209⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Lifjnm32.exe
        
        C:\Windows\system32\Lifjnm32.exe
        210⤵
        Drops file in System32 directory
        
        PID:7392
        
        C:\Windows\SysWOW64\Lldfjh32.exe
        
        C:\Windows\system32\Lldfjh32.exe
        211⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Lbnngbbn.exe
        
        C:\Windows\system32\Lbnngbbn.exe
        212⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Lemkcnaa.exe
        
        C:\Windows\system32\Lemkcnaa.exe
        213⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Lhkgoiqe.exe
        
        C:\Windows\system32\Lhkgoiqe.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Lpbopfag.exe
        
        C:\Windows\system32\Lpbopfag.exe
        215⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Lbqklb32.exe
        
        C:\Windows\system32\Lbqklb32.exe
        216⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Leoghn32.exe
        
        C:\Windows\system32\Leoghn32.exe
        217⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Lbchba32.exe
        
        C:\Windows\system32\Lbchba32.exe
        218⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Mlklkgei.exe
        
        C:\Windows\system32\Mlklkgei.exe
        219⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Mojhgbdl.exe
        
        C:\Windows\system32\Mojhgbdl.exe
        220⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Mhbmphjm.exe
        
        C:\Windows\system32\Mhbmphjm.exe
        221⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Molelb32.exe
        
        C:\Windows\system32\Molelb32.exe
        222⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Mibijk32.exe
        
        C:\Windows\system32\Mibijk32.exe
        223⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Mplafeil.exe
        
        C:\Windows\system32\Mplafeil.exe
        224⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Midfokpm.exe
        
        C:\Windows\system32\Midfokpm.exe
        225⤵
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\SysWOW64\Mlbbkfoq.exe
        
        C:\Windows\system32\Mlbbkfoq.exe
        226⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Moaogand.exe
        
        C:\Windows\system32\Moaogand.exe
        227⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Mfhfhong.exe
        
        C:\Windows\system32\Mfhfhong.exe
        228⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Mleoafmn.exe
        
        C:\Windows\system32\Mleoafmn.exe
        229⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mockmala.exe
        
        C:\Windows\system32\Mockmala.exe
        230⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Nhlpfgbb.exe
        
        C:\Windows\system32\Nhlpfgbb.exe
        231⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Noehba32.exe
        
        C:\Windows\system32\Noehba32.exe
        232⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        233⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Niklpj32.exe
        
        C:\Windows\system32\Niklpj32.exe
        234⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Npedmdab.exe
        
        C:\Windows\system32\Npedmdab.exe
        235⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Nbcqiope.exe
        
        C:\Windows\system32\Nbcqiope.exe
        236⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        237⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Nlleaeff.exe
        
        C:\Windows\system32\Nlleaeff.exe
        238⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Nomncpcg.exe
        
        C:\Windows\system32\Nomncpcg.exe
        239⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Ngdfdmdi.exe
        
        C:\Windows\system32\Ngdfdmdi.exe
        240⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Nheble32.exe
        
        C:\Windows\system32\Nheble32.exe
        241⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Nplkmckj.exe
        
        C:\Windows\system32\Nplkmckj.exe
        242⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Oeicejia.exe
        
        C:\Windows\system32\Oeicejia.exe
        243⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Olckbd32.exe
        
        C:\Windows\system32\Olckbd32.exe
        244⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Ooagno32.exe
        
        C:\Windows\system32\Ooagno32.exe
        245⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Ohjlgefb.exe
        
        C:\Windows\system32\Ohjlgefb.exe
        246⤵
        Modifies registry class
        
        PID:8336
        
        C:\Windows\SysWOW64\Opadhb32.exe
        
        C:\Windows\system32\Opadhb32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8396
        
        C:\Windows\SysWOW64\Ocopdn32.exe
        
        C:\Windows\system32\Ocopdn32.exe
        248⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Oenlqi32.exe
        
        C:\Windows\system32\Oenlqi32.exe
        249⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Olgemcli.exe
        
        C:\Windows\system32\Olgemcli.exe
        250⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Ocamjm32.exe
        
        C:\Windows\system32\Ocamjm32.exe
        251⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Opemca32.exe
        
        C:\Windows\system32\Opemca32.exe
        252⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Ookjdn32.exe
        
        C:\Windows\system32\Ookjdn32.exe
        253⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8680
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        254⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        255⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        256⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Phelcc32.exe
        
        C:\Windows\system32\Phelcc32.exe
        257⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Poodpmca.exe
        
        C:\Windows\system32\Poodpmca.exe
        258⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        259⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        260⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Pcmlfl32.exe
        
        C:\Windows\system32\Pcmlfl32.exe
        261⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        262⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Phjenbhp.exe
        
        C:\Windows\system32\Phjenbhp.exe
        263⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        264⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Pgkelj32.exe
        
        C:\Windows\system32\Pgkelj32.exe
        265⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Phlacbfm.exe
        
        C:\Windows\system32\Phlacbfm.exe
        266⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Pofjpl32.exe
        
        C:\Windows\system32\Pofjpl32.exe
        267⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Qfpbmfdf.exe
        
        C:\Windows\system32\Qfpbmfdf.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8300
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        269⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        270⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        271⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        272⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        273⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        274⤵
        Drops file in System32 directory
        
        PID:8740
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        275⤵
        Modifies registry class
        
        PID:8828
        
        C:\Windows\SysWOW64\Ahfdjanb.exe
        
        C:\Windows\system32\Ahfdjanb.exe
        276⤵
        Modifies registry class
        
        PID:8920
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        277⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Ackigjmh.exe
        
        C:\Windows\system32\Ackigjmh.exe
        278⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Afjeceml.exe
        
        C:\Windows\system32\Afjeceml.exe
        279⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Amcmpodi.exe
        
        C:\Windows\system32\Amcmpodi.exe
        280⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Acnemi32.exe
        
        C:\Windows\system32\Acnemi32.exe
        281⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Ajhniccb.exe
        
        C:\Windows\system32\Ajhniccb.exe
        282⤵
        Modifies registry class
        
        PID:8324
        
        C:\Windows\SysWOW64\Amfjeobf.exe
        
        C:\Windows\system32\Amfjeobf.exe
        283⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        284⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Amhfkopc.exe
        
        C:\Windows\system32\Amhfkopc.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8708
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        286⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Bgnkhg32.exe
        
        C:\Windows\system32\Bgnkhg32.exe
        287⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        288⤵
        Drops file in System32 directory
        
        PID:9024
        
        C:\Windows\SysWOW64\Bgpgng32.exe
        
        C:\Windows\system32\Bgpgng32.exe
        289⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        290⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Bcghch32.exe
        
        C:\Windows\system32\Bcghch32.exe
        291⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        292⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bpnihiio.exe
        
        C:\Windows\system32\Bpnihiio.exe
        293⤵
        Modifies registry class
        
        PID:8752
        
        C:\Windows\SysWOW64\Bjcmebie.exe
        
        C:\Windows\system32\Bjcmebie.exe
        294⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Bppfmigl.exe
        
        C:\Windows\system32\Bppfmigl.exe
        295⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        296⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Bjfjka32.exe
        
        C:\Windows\system32\Bjfjka32.exe
        297⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Cpbbch32.exe
        
        C:\Windows\system32\Cpbbch32.exe
        298⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Cflkpblf.exe
        
        C:\Windows\system32\Cflkpblf.exe
        299⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Cmfclm32.exe
        
        C:\Windows\system32\Cmfclm32.exe
        300⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9072
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        302⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        303⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        304⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Cjomap32.exe
        
        C:\Windows\system32\Cjomap32.exe
        305⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Caienjfd.exe
        
        C:\Windows\system32\Caienjfd.exe
        306⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Ccgajfeh.exe
        
        C:\Windows\system32\Ccgajfeh.exe
        307⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Dpnbog32.exe
        
        C:\Windows\system32\Dpnbog32.exe
        308⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Djdflp32.exe
        
        C:\Windows\system32\Djdflp32.exe
        309⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Dmbbhkjf.exe
        
        C:\Windows\system32\Dmbbhkjf.exe
        310⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Dpqodfij.exe
        
        C:\Windows\system32\Dpqodfij.exe
        311⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        312⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        313⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        314⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Djhpgofm.exe
        
        C:\Windows\system32\Djhpgofm.exe
        315⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Dabhdinj.exe
        
        C:\Windows\system32\Dabhdinj.exe
        316⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        317⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Dmihij32.exe
        
        C:\Windows\system32\Dmihij32.exe
        318⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        319⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Eipinkib.exe
        
        C:\Windows\system32\Eipinkib.exe
        320⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        321⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        322⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        323⤵
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Eplnpeol.exe
        
        C:\Windows\system32\Eplnpeol.exe
        324⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Ehcfaboo.exe
        
        C:\Windows\system32\Ehcfaboo.exe
        325⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        326⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Epokedmj.exe
        
        C:\Windows\system32\Epokedmj.exe
        327⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        328⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Eigonjcj.exe
        
        C:\Windows\system32\Eigonjcj.exe
        329⤵
        Drops file in System32 directory
        
        PID:9436
        
        C:\Windows\SysWOW64\Epagkd32.exe
        
        C:\Windows\system32\Epagkd32.exe
        330⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9492
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        331⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Eaqdegaj.exe
        
        C:\Windows\system32\Eaqdegaj.exe
        332⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        333⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        334⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Facqkg32.exe
        
        C:\Windows\system32\Facqkg32.exe
        335⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        336⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        337⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Fknbil32.exe
        
        C:\Windows\system32\Fknbil32.exe
        338⤵
        Drops file in System32 directory
        
        PID:10120
        
        C:\Windows\SysWOW64\Fmlneg32.exe
        
        C:\Windows\system32\Fmlneg32.exe
        339⤵
        Drops file in System32 directory
        
        PID:10200
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        340⤵
        Modifies registry class
        
        PID:10228
        
        C:\Windows\SysWOW64\Fhabbp32.exe
        
        C:\Windows\system32\Fhabbp32.exe
        341⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Fibojhim.exe
        
        C:\Windows\system32\Fibojhim.exe
        342⤵
        Modifies registry class
        
        PID:9464
        
        C:\Windows\SysWOW64\Fajgkfio.exe
        
        C:\Windows\system32\Fajgkfio.exe
        343⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Fggocmhf.exe
        
        C:\Windows\system32\Fggocmhf.exe
        344⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Fmqgpgoc.exe
        
        C:\Windows\system32\Fmqgpgoc.exe
        345⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Fpodlbng.exe
        
        C:\Windows\system32\Fpodlbng.exe
        346⤵
        Modifies registry class
        
        PID:9948
        
        C:\Windows\SysWOW64\Ggilil32.exe
        
        C:\Windows\system32\Ggilil32.exe
        347⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Gmcdffmq.exe
        
        C:\Windows\system32\Gmcdffmq.exe
        348⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Gpaqbbld.exe
        
        C:\Windows\system32\Gpaqbbld.exe
        349⤵
        Drops file in System32 directory
        
        PID:9348
        
        C:\Windows\SysWOW64\Ggkiol32.exe
        
        C:\Windows\system32\Ggkiol32.exe
        350⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9656
        
        C:\Windows\SysWOW64\Gkiaej32.exe
        
        C:\Windows\system32\Gkiaej32.exe
        352⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10088
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        354⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Ginnfgop.exe
        
        C:\Windows\system32\Ginnfgop.exe
        355⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        356⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Ghpocngo.exe
        
        C:\Windows\system32\Ghpocngo.exe
        357⤵
        Modifies registry class
        
        PID:10016
        
        C:\Windows\SysWOW64\Giqkkf32.exe
        
        C:\Windows\system32\Giqkkf32.exe
        358⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Gahcmd32.exe
        
        C:\Windows\system32\Gahcmd32.exe
        359⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Hhbkinel.exe
        
        C:\Windows\system32\Hhbkinel.exe
        360⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        361⤵
        Drops file in System32 directory
        
        PID:10068
        
        C:\Windows\SysWOW64\Hpmpnp32.exe
        
        C:\Windows\system32\Hpmpnp32.exe
        362⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        363⤵
        Modifies registry class
        
        PID:10280
        
        C:\Windows\SysWOW64\Hjedffig.exe
        
        C:\Windows\system32\Hjedffig.exe
        364⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        365⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Hdkidohn.exe
        
        C:\Windows\system32\Hdkidohn.exe
        366⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Hgiepjga.exe
        
        C:\Windows\system32\Hgiepjga.exe
        367⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Hncmmd32.exe
        
        C:\Windows\system32\Hncmmd32.exe
        368⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Hpbiip32.exe
        
        C:\Windows\system32\Hpbiip32.exe
        369⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10532
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        370⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Hkgnfhnh.exe
        
        C:\Windows\system32\Hkgnfhnh.exe
        371⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        372⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Hdpbon32.exe
        
        C:\Windows\system32\Hdpbon32.exe
        373⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Hgnoki32.exe
        
        C:\Windows\system32\Hgnoki32.exe
        374⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Hjlkge32.exe
        
        C:\Windows\system32\Hjlkge32.exe
        375⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        376⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        377⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        378⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Injcmc32.exe
        
        C:\Windows\system32\Injcmc32.exe
        379⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Iddljmpc.exe
        
        C:\Windows\system32\Iddljmpc.exe
        380⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        381⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Iahlcaol.exe
        
        C:\Windows\system32\Iahlcaol.exe
        382⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        383⤵
        Drops file in System32 directory
        
        PID:11132
        
        C:\Windows\SysWOW64\Igedlh32.exe
        
        C:\Windows\system32\Igedlh32.exe
        384⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        385⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        386⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Idieem32.exe
        
        C:\Windows\system32\Idieem32.exe
        387⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\Iggaah32.exe
        
        C:\Windows\system32\Iggaah32.exe
        388⤵
        Modifies registry class
        
        PID:10344
        
        C:\Windows\SysWOW64\Ijfnmc32.exe
        
        C:\Windows\system32\Ijfnmc32.exe
        389⤵
        Modifies registry class
        
        PID:10408
        
        C:\Windows\SysWOW64\Iqpfjnba.exe
        
        C:\Windows\system32\Iqpfjnba.exe
        390⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        391⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Igjngh32.exe
        
        C:\Windows\system32\Igjngh32.exe
        392⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        393⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Jdnoplhh.exe
        
        C:\Windows\system32\Jdnoplhh.exe
        394⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Jglklggl.exe
        
        C:\Windows\system32\Jglklggl.exe
        395⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\Jjjghcfp.exe
        
        C:\Windows\system32\Jjjghcfp.exe
        396⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        397⤵
        Drops file in System32 directory
        
        PID:10944
        
        C:\Windows\SysWOW64\Jhlgfj32.exe
        
        C:\Windows\system32\Jhlgfj32.exe
        398⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11052
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        399⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Jbdlop32.exe
        
        C:\Windows\system32\Jbdlop32.exe
        400⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        401⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Jgadgf32.exe
        
        C:\Windows\system32\Jgadgf32.exe
        402⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Jbfheo32.exe
        
        C:\Windows\system32\Jbfheo32.exe
        403⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Jdedak32.exe
        
        C:\Windows\system32\Jdedak32.exe
        404⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        405⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        406⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Jgenbfoa.exe
        
        C:\Windows\system32\Jgenbfoa.exe
        407⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        408⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Kqnbkl32.exe
        
        C:\Windows\system32\Kqnbkl32.exe
        409⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\Kghjhemo.exe
        
        C:\Windows\system32\Kghjhemo.exe
        410⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Kelkaj32.exe
        
        C:\Windows\system32\Kelkaj32.exe
        411⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        412⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        413⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        414⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Kgopidgf.exe
        
        C:\Windows\system32\Kgopidgf.exe
        415⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        416⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kageaj32.exe
        
        C:\Windows\system32\Kageaj32.exe
        417⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        418⤵
        Modifies registry class
        
        PID:10924
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        419⤵
        Modifies registry class
        
        PID:11124
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        420⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        421⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Lgkpdcmi.exe
        
        C:\Windows\system32\Lgkpdcmi.exe
        422⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Llflea32.exe
        
        C:\Windows\system32\Llflea32.exe
        423⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Mlkepaam.exe
        
        C:\Windows\system32\Mlkepaam.exe
        424⤵
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        425⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Meefofek.exe
        
        C:\Windows\system32\Meefofek.exe
        426⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\Nihipdhl.exe
        
        C:\Windows\system32\Nihipdhl.exe
        427⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Nliaao32.exe
        
        C:\Windows\system32\Nliaao32.exe
        428⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        429⤵
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Nojjcj32.exe
        
        C:\Windows\system32\Nojjcj32.exe
        430⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        431⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        432⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        433⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        434⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10496
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        435⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        436⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        437⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Oehlkc32.exe
        
        C:\Windows\system32\Oehlkc32.exe
        438⤵
        Modifies registry class
        
        PID:11304
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        439⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        440⤵
        Drops file in System32 directory
        
        PID:11400
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        441⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        442⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        443⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11532
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        444⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        445⤵
        Drops file in System32 directory
        
        PID:11624
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        446⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\Oeaoab32.exe
        
        C:\Windows\system32\Oeaoab32.exe
        447⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        448⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        449⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\Piphgq32.exe
        
        C:\Windows\system32\Piphgq32.exe
        450⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\Plndcl32.exe
        
        C:\Windows\system32\Plndcl32.exe
        451⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        452⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        453⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11944
        
        C:\Windows\SysWOW64\Pkcadhgm.exe
        
        C:\Windows\system32\Pkcadhgm.exe
        454⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\Pcjiff32.exe
        
        C:\Windows\system32\Pcjiff32.exe
        455⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        456⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\Phganm32.exe
        
        C:\Windows\system32\Phganm32.exe
        457⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Pkenjh32.exe
        
        C:\Windows\system32\Pkenjh32.exe
        458⤵
        Drops file in System32 directory
        
        PID:12160
        
        C:\Windows\SysWOW64\Papfgbmg.exe
        
        C:\Windows\system32\Papfgbmg.exe
        459⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        460⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\Phincl32.exe
        
        C:\Windows\system32\Phincl32.exe
        461⤵
        Drops file in System32 directory
        
        PID:10388
        
        C:\Windows\SysWOW64\Pkhjph32.exe
        
        C:\Windows\system32\Pkhjph32.exe
        462⤵
        Drops file in System32 directory
        
        PID:11288
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        463⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Qkjgegae.exe
        
        C:\Windows\system32\Qkjgegae.exe
        464⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\Qepkbpak.exe
        
        C:\Windows\system32\Qepkbpak.exe
        465⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        466⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\Qohpkf32.exe
        
        C:\Windows\system32\Qohpkf32.exe
        467⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\Qebhhp32.exe
        
        C:\Windows\system32\Qebhhp32.exe
        468⤵
        Drops file in System32 directory
        
        PID:11720
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        469⤵
        Drops file in System32 directory
        
        PID:11760
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        470⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\Ajpqnneo.exe
        
        C:\Windows\system32\Ajpqnneo.exe
        471⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        472⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        473⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        474⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        475⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Ackbmcjl.exe
        
        C:\Windows\system32\Ackbmcjl.exe
        476⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\Afinioip.exe
        
        C:\Windows\system32\Afinioip.exe
        477⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        478⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\Akffafgg.exe
        
        C:\Windows\system32\Akffafgg.exe
        479⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11600
        
        C:\Windows\SysWOW64\Acmobchj.exe
        
        C:\Windows\system32\Acmobchj.exe
        480⤵
        Modifies registry class
        
        PID:11700
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        481⤵
        Drops file in System32 directory
        
        PID:11856
        
        C:\Windows\SysWOW64\Ahjgjj32.exe
        
        C:\Windows\system32\Ahjgjj32.exe
        482⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        483⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\Acokhc32.exe
        
        C:\Windows\system32\Acokhc32.exe
        484⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\Bfngdn32.exe
        
        C:\Windows\system32\Bfngdn32.exe
        485⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\Bhldpj32.exe
        
        C:\Windows\system32\Bhldpj32.exe
        486⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        487⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\Bbdhiojo.exe
        
        C:\Windows\system32\Bbdhiojo.exe
        488⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        489⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11896
        
        C:\Windows\SysWOW64\Bohibc32.exe
        
        C:\Windows\system32\Bohibc32.exe
        490⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        491⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        492⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\Bcfahbpo.exe
        
        C:\Windows\system32\Bcfahbpo.exe
        493⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        494⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\Bcinna32.exe
        
        C:\Windows\system32\Bcinna32.exe
        495⤵
        Drops file in System32 directory
        
        PID:11496
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        496⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\Bkdcbd32.exe
        
        C:\Windows\system32\Bkdcbd32.exe
        497⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        498⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        499⤵
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        500⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        501⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        502⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        503⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Cbbdjm32.exe
        
        C:\Windows\system32\Cbbdjm32.exe
        504⤵
        
        PID:12324
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        505⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        506⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\Cfqmpl32.exe
        
        C:\Windows\system32\Cfqmpl32.exe
        507⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\Cmjemflb.exe
        
        C:\Windows\system32\Cmjemflb.exe
        508⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        509⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        510⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        511⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\Dbjkkl32.exe
        
        C:\Windows\system32\Dbjkkl32.exe
        512⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\Djqblj32.exe
        
        C:\Windows\system32\Djqblj32.exe
        513⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\Dkbocbog.exe
        
        C:\Windows\system32\Dkbocbog.exe
        514⤵
        
        PID:12760
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        515⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        516⤵
        
        PID:12840
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        517⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\Dckdjomg.exe
        
        C:\Windows\system32\Dckdjomg.exe
        518⤵
        Modifies registry class
        
        PID:12932
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        519⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\Dihlbf32.exe
        
        C:\Windows\system32\Dihlbf32.exe
        520⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        521⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\Dbqqkkbo.exe
        
        C:\Windows\system32\Dbqqkkbo.exe
        522⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\Djhimica.exe
        
        C:\Windows\system32\Djhimica.exe
        523⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        524⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        525⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        526⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\Eiobceef.exe
        
        C:\Windows\system32\Eiobceef.exe
        527⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        528⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        529⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        530⤵
        Modifies registry class
        
        PID:12484
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        531⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        532⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12612
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        533⤵
        Drops file in System32 directory
        
        PID:12680
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        534⤵
        Drops file in System32 directory
        
        PID:12752
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        535⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        536⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        537⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        538⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13048
        
        C:\Windows\SysWOW64\Elgaeolp.exe
        
        C:\Windows\system32\Elgaeolp.exe
        539⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        540⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        541⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        542⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        543⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        544⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\Fmkgkapm.exe
        
        C:\Windows\system32\Fmkgkapm.exe
        545⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\Fibhpbea.exe
        
        C:\Windows\system32\Fibhpbea.exe
        546⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        547⤵
        
        PID:12884
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        548⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\Hdehni32.exe
        
        C:\Windows\system32\Hdehni32.exe
        549⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        550⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13240
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        551⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12808
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        552⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        553⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        554⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        555⤵
        Drops file in System32 directory
        
        PID:12532
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        556⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        557⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        558⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        559⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        560⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        561⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        562⤵
        
        PID:13068
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        563⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        564⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        565⤵
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Oodcdb32.exe
        
        C:\Windows\system32\Oodcdb32.exe
        566⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        567⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        568⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        569⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        570⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        571⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        572⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        573⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        574⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        575⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        576⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        577⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        578⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        579⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        580⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        581⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        582⤵
        
        PID:100
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        583⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        584⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        585⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        586⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        587⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        588⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        589⤵
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        590⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        591⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        592⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        593⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        594⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        595⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        596⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        597⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        598⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        599⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        600⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        601⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        602⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        603⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        604⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        605⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        606⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        607⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        608⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        609⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        610⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        611⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        612⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        613⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        614⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        615⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        616⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        617⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        618⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        619⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        620⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        621⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2068
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        622⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        623⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        624⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        625⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        626⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        627⤵
        
        PID:656
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        628⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        629⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        630⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        631⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        632⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        633⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3656
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        634⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        635⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        636⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        637⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        638⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        639⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        640⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        641⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        642⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        643⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        644⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        645⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        646⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        647⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        648⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        649⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        650⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        651⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        652⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        653⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        654⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        655⤵
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        656⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        657⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        658⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        659⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        660⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        661⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        662⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        663⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        664⤵
        
        PID:13052
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        665⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        666⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        667⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        668⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        669⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        670⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        671⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        672⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        673⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        674⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        675⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        676⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        677⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        678⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        679⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        680⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        681⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        682⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        683⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        684⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        685⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        686⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        687⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        688⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        689⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        690⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        691⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        692⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        693⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        694⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        695⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        696⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        697⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        698⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        699⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        700⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        701⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        702⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        703⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        704⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        705⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        706⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        707⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        708⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        709⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        710⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        711⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        712⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        713⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        714⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        715⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        716⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        717⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        718⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        719⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        720⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        721⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        722⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        723⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        724⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        725⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        726⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        727⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        728⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        729⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        730⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        731⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        732⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        733⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        734⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        735⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        736⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        737⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        738⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        739⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        740⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        741⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        742⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        743⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        744⤵
        Drops file in System32 directory
        
        PID:7800
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        745⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        746⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        747⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        748⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        749⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        750⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        751⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        752⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        753⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        754⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        755⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        756⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        757⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        758⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        759⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        760⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        761⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        762⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        763⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        764⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        765⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        766⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7972
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        767⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        768⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        769⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8172
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        770⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        771⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        772⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        773⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        774⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        775⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        776⤵
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        777⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        778⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        779⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        780⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        781⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        782⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        783⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        784⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        785⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        786⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        787⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        788⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        789⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        790⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7872
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        791⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        792⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        793⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        794⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        795⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        796⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        797⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        798⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        799⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        800⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        801⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        802⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        803⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        804⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        805⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        806⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        807⤵
        Modifies registry class
        
        PID:8764
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        808⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        809⤵
        Modifies registry class
        
        PID:9008
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        810⤵
        Drops file in System32 directory
        
        PID:9084
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        811⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        812⤵
        Drops file in System32 directory
        
        PID:9136
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        813⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        814⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8644
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        815⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        816⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        817⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        818⤵
        Drops file in System32 directory
        
        PID:8916
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        819⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        820⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8444
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        821⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        822⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        823⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        824⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        825⤵
        Drops file in System32 directory
        
        PID:9372
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        826⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        827⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        828⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        829⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        830⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        831⤵
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        832⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        833⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        834⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9752
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        835⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        836⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        837⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        838⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        839⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        840⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        841⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        842⤵
        Drops file in System32 directory
        
        PID:9348
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        843⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        844⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        845⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10596
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        846⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        847⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        848⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        849⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        850⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        851⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10500
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        852⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        853⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        854⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        855⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        856⤵
        Drops file in System32 directory
        
        PID:10960
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        857⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        858⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        859⤵
        Modifies registry class
        
        PID:11164
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        860⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        861⤵
        Modifies registry class
        
        PID:10288
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        862⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        863⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        864⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        865⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        866⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        867⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        868⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        869⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        870⤵
        Drops file in System32 directory
        
        PID:10728
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        871⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        872⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        873⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        874⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        875⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        876⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        877⤵
        Drops file in System32 directory
        
        PID:8496
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        878⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        879⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        880⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        881⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        882⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        883⤵
        Modifies registry class
        
        PID:10340
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        884⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9504
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        885⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        886⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9328
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        887⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        888⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        889⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        890⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        891⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        892⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        893⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        894⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        895⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        896⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        897⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        898⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        899⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10112
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        900⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        901⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10200
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        902⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        903⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        904⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        905⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        906⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        907⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8936
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        908⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        909⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        910⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        911⤵
        Drops file in System32 directory
        
        PID:9264
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        912⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        913⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        914⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10372 -s 412
        915⤵
        Program crash
        
        PID:10660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 10372 -ip 10372
1⤵
PID:10448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
208KB

MD5
4a1fdb26f32728aa962ef2d1f11596cd

SHA1
d52ae5e8a855424f5621540390c11c1b6a3e1d31

SHA256
2ab821bf4e47b6b185db0f9f8a78e4b8522a4713a2f96db81aa4d6825a484200

SHA512
4dc56c937f06446845ef7476a7ad40147d1e41137b0afa24673ddaaa4e4e3ac72f6143237d0846ef57c7e2545d0d30d645e5e68d5bd4447c8cd1492f64d786cc

Download Submit
C:\Windows\SysWOW64\Amodep32.exe

Filesize
208KB

MD5
0504ec817818aad477ddba1ba68a58c1

SHA1
7e4bca5752e2f200aac8b6e15e9646377bf0fef2

SHA256
b623964e4248822b185a1f873fb616b85db86986b11c0347a68432bab033c020

SHA512
fff4a0460a4a8f3888e45788e1060a15be91a45ca8f3b002d6e9c95802bef1b666869bda1f7eeffc3eacda742ec4e5323dccfe959f1855e621d8643b8a84d584

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
208KB

MD5
1140bf9aa24f277165a216f10f335b37

SHA1
34389fc6c5a7f9bcf762d3397ac9f38728b7ae7e

SHA256
3699665549a0d65f4a2125e58d6c49af79d37168b679832a8f1198bb301e92b9

SHA512
0f640f98bf485a5e95844d6da7c57b5de325d5e00d80122336e63049f66faad0b6ecfecc6ff6f0ce0c1b90e3ce7ec8a232d8f8143122b6558e989de8cf6d33c4

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
208KB

MD5
a60a8ce57c126d0f27d32353d734df60

SHA1
a0ff927173a87bbd521bd17446c11b61df3bd529

SHA256
f514b9fbf1ce8472c44e51115fc76351eafd76fe7aef272f84c2c26dcfaa1478

SHA512
72b27b6f89e23fc5606b3ffd63a84b7863d5796bb679e76113358e1b483e097fdf192648a9765d644e0c17e04ee53ca92c04874f9644b092f822a3ee1ea16007

Download Submit
C:\Windows\SysWOW64\Bmofagfp.exe

Filesize
208KB

MD5
c12789f8711cee447b0322ffe162ee81

SHA1
63edd6d97ed3f0060383b7cb5478083b521548cd

SHA256
6687a837f240b4cc7848731f0343706ff2c79faa94b6968f1325b971ce50827c

SHA512
68991f3d355c7a2d151a0dee08d917566726036e141d1a36844b518741a702da5cff6b76fa7fb7f4e04ac06993cf51743d011461c356bb7162c85ff69363fba4

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
208KB

MD5
1cd3fe9c082c8718ec6f1d66f9666551

SHA1
2c7bb91d266f13d88f18e0e2a9d9ae82cfa17b1c

SHA256
87259d45400e8ed643402b7b0648ed45938ba8a082a5daf98544e9e86f0afdac

SHA512
44905dfd217cda5e110ca6fcd9f7f23c803eb43846378b171455e62a20ac5de710e3b5d6472d80fc19c72dd2b2f674b7a1f430006cd90ed96d589e6e354314ec

Download Submit
C:\Windows\SysWOW64\Bogcgj32.exe

Filesize
208KB

MD5
f49085d342cfe8efc0daa0a8d9610b8c

SHA1
3ec45699324a1af30cfbe9461cdf7cef08e7e57c

SHA256
727c87c1e7a1301bd43dae9845b27f28c61d0b717290f7737d2c99ceacac13c9

SHA512
9b1cf502c0d72d6bf5ec637e950a8fc6636e3a0c420dda6796c7e6c5a8996d80981f6e85e891a845ae9491d206f656825e3ebe12865ba9bb412017f6b5fb1522

Download Submit
C:\Windows\SysWOW64\Bppfmigl.exe

Filesize
208KB

MD5
962a5a7c169e1054dd4dc27169d95524

SHA1
a64c35cbd700d4fd9cc772e3393c083b11f5126e

SHA256
77f3b481169f89353e7830ffb49311a00ddd927cdb712e0c4ec593ca0a5ba745

SHA512
18dbddb336f89146a97b50c6eb4f8ef1ab2469e1ea479f766c746a7d01a85c21a0efd61b35eb27cef7044503a09fd9b716e1c704c7b8d098b324854a2ea9e121

Download Submit
C:\Windows\SysWOW64\Ccgajfeh.exe

Filesize
208KB

MD5
cd649e95c197a7ad9025f9c73c08a0a9

SHA1
e471916aa3753e98c297ffefbc1e9e0a422cbfd8

SHA256
e779e3bdc74e0a21ad975a50e238ac8725f049533715bc59095c75867113769a

SHA512
cc750d10f4e81e006c9ae93d41e866407e492809f11a15d4b2a7a66d310c0945f31d0e6e7bdaccb4a4d75450991ba1d50c4341c5cdbe1de6350a90486a578aa1

Download Submit
C:\Windows\SysWOW64\Cjgpfk32.exe

Filesize
208KB

MD5
b03430c94e2671319ce4ddcb63d6d5fa

SHA1
b8ffa27d4991b3e51baa1c06bd73f6ce32927fdc

SHA256
a70a047d69e9b3c7da63ce09ac71c5062826747a66dd40d9573637e9423e340a

SHA512
7b096959890a9cd505c0e74e123f80542fe3fb538e65be25b97bf92a382e6d7a1ccab8da0a28a6cbe8d112de75f97631d68475ea70738def80cbf6b641408d9f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
208KB

MD5
bc2bcad2b765568a4c80de5112887be0

SHA1
1aa75bb0dfa3312dd7d17846f076b08a796486a3

SHA256
c52b7d1d5c97b2678ea0fc64a71ff514dfa5d891d05200843b1cac5c629c4b7c

SHA512
425acfda2cf13f8238136f04367710bf1b646271854b2d272af62caca45144636438000668da4bd89e682a5e4448c25844ae986bd71550a12563845376e6b9ed

Download Submit
C:\Windows\SysWOW64\Fffhifdk.exe

Filesize
208KB

MD5
b7445857b76c6e17a27265d65774de14

SHA1
23a71b4e3b578e1b64b71683f69d6e5a84b4f9aa

SHA256
c7dd4f44c806f305669d60d78019d61388b465d8e90682648c30cc49c5fe1986

SHA512
769b452882283627624662a254210dde133bb444e16fcbf22eda5c7e738544858bf19cc1a5805b70a5a5cc749042d2309a0d795eb7d9126449357dfe93a19866

Download Submit
C:\Windows\SysWOW64\Fimodc32.exe

Filesize
208KB

MD5
cb90da72bf32eb346bab7124aa7b1847

SHA1
fcd3bb6cefaccae1aca4b3ae424eadf4afcb9bb9

SHA256
88df0a68d95770004fc24a4165c99247a1685d92ba0ce59e254cf336d0218f83

SHA512
8ac99d5adabea9b38bd563dbcf2aaf0b531575750879016ced578f5a69970f5ffb167c66013798963dbb529933aeeefb9dbd6e5c08bac2889ad53fac6edad7e0

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
208KB

MD5
69e71316290a5b72d5fa8697979032ea

SHA1
41ca8c715f01558a350ceed72f82ebf20174b8a5

SHA256
06b81e1e6eb6b9cd08511f566c70a7ec44edc2d4e8246a33ad7ea67ee4a8b330

SHA512
76c8dd9a4c19866caf0ab6554e34dc2d0c614e88d7e396717f73fbc1474c88333267d4f2e84e289dd52a912aa4db5869356a34aa94879b3e8f5ed6b8281659de

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
208KB

MD5
c55bf3374c2deecc9ae83502332de771

SHA1
319363e78984c4acd4d1f6a23a043c270ccdc02a

SHA256
75df30b74a608d04d76b8bbe51cffedfd05ad618f5f49d0e3fa20cbbed3a120c

SHA512
6889a56f737395798bc7145e236820169bb67f4bf1fafeaa72c9f2cad622fb7ed7ee090a94a51512270c2017f0b652e927bd039e65881b907615ee04f368ce96

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
208KB

MD5
f9aaedec90284879f4dc77ec380d5c3c

SHA1
3552ef9db44eaadc07ee3f9d6ff4aaa4f1882fad

SHA256
18c86a0e0d70042b5466a91ab622842c716091b14304a1df8a9bb66a04a674cc

SHA512
6e996cfa390a2a49bd5dae1e013b873c5f152f2ba3c30a4275b140830647240c1ae5e0ff560adbc50b21349a2ba833a2d40ca807df102b425e2a854f6408ccc7

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
208KB

MD5
d4be6d4f44bf5d987501d65eb33bd762

SHA1
ddf82c319c5baff404b9771b661468ca33ad5ac6

SHA256
a9a55a299cc8541914dd162a417757911759f6ae197049f009450b8ced1a1289

SHA512
dccd769a9791f68cd8702c52d607d0cb3161040b261637ad2acfcbdf269c5d24a756be16fdcd8196b5d8b154e3be71ba8cd023ce3432a0b42da3e3bebf1fca79

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
208KB

MD5
aa3aa132845b82d1d1300d9245360e9b

SHA1
f26eb4d79c2c277c0f57edd878c5874114968ee2

SHA256
44adf552be779db22d42dcb6c34ca4ff127fd7272fccec735ef7b0571aab114f

SHA512
b42e592e4626ab97a9e23ae30d5e1d230a2e7b452a78097c68fdd01baed636c7b31a998dd0321ae74c3e8d34846a380c9c24ab23a04acb3d145f61ed29bd482b

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
208KB

MD5
207401b4a10d512d619135a87fa1c1cd

SHA1
b8971b6b963a628b0c50bd42268dec2302fedcd5

SHA256
95cb4aab6e351103238dac9df290829f52d0137e5932c2530b6b1e5f55bdc4c2

SHA512
81e9db02ec5c3784bc3bc3a7d96de8d3bb3f509f54ea95316daa033af0faf577b63c65d7fec324c5708f898845f9e2d2d4af1a01ea4f979d2d7f3b6672eeb599

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
208KB

MD5
a9dc870b406cb9e229629876b2708148

SHA1
c5fcc1a0144d10c8d514862c991dac7a8d189e18

SHA256
b7e20e3e579daede51bf19a51111890e703970ad02e72f90572b29f9cc42a3e0

SHA512
7012eaf3baa88b104be62be604b7e3ecdb4310202aa108470179ce12de2e74835ede4c49ff470de3f1bf3c7fe87033b2f924bb154ff531f7263c9fa8000cdc1f

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
208KB

MD5
daf21f33d5b239eebb46c99b2a3bab25

SHA1
74d23476a8b7aba7fb67d4057d26c2036b01fce5

SHA256
8ca826069c8fefaba7ba452ba862becf588c2cf7f385e6d439d4879f9ca3ab4d

SHA512
efa9e83bc8a77c725671e97035b65a3277bb88ef585164c36054dca0c9edf1fc1c73a4ee4feb13460514b9170b1007160b215e4e5124f8ecc172af01b6bc8f8e

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
208KB

MD5
752f68399fb6a22d7f32d000f9bd69b3

SHA1
7555e80e85bcf61bf46a0e43144fd2ec30a9bd44

SHA256
1bfe6ef7a9ea2981afa0862bad6be444a88fa63f42492def31584167c87f587c

SHA512
147a262bd9bec7ecda7cc8dec13924491757a27b24c351e5ef72b3bc73ce9b6fd3dcbc03769f6302b8e1f2679b0fc972f913d128be0880de8c698a25bc060982

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
208KB

MD5
8e5d8c74df58909b503593db72916dc2

SHA1
22fb17f756a020f4a0fe07fb7f64832c7b2a68bb

SHA256
f9eb8184979eeda89d4a3e53bd4c302dd429383d53133cd44986973ff6c6d0c5

SHA512
f3af909cdb383f18b1666327b2d6d3b58972dccfcaabd76acaad67bd3a42a3376dd4ffb16cab3cccb8cfbb9acd1a71118286c82a968bb8adf34edabd19e8a135

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
208KB

MD5
20eb27644dccab1a1c198cff1745e6e7

SHA1
340636fb9ea94653e55cbd016b17d22174e645bc

SHA256
825d596dde529251de1cbca34158c118036fa104e44c6f21284822a3f603c218

SHA512
3dffb9b37f44277354543e0223439a31a477ea31101377fffcb37a1a463244855137e914a59719dce5082867455f5c91600362e74c817573b76ba6b59813a6eb

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
208KB

MD5
c6da09b6ce767aa117f1838edcf19f4b

SHA1
c4236f09450d6141660522a6dc8d1651a2a8aa34

SHA256
6f0406a4ffd3b454406645b996a0c383f8a910c9806df3c29b9eb0bc139445c3

SHA512
1d6f0357cc044bb1d6c6e903e07ab8d419edff01458274fa7403ad94c7514a6c02596f8900fb11e541c8404ca2277099a53b6c6c44bda652e56fef76f955568c

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
208KB

MD5
9bc37aae6d71c4e4251243da78f8de69

SHA1
88df15129b6e76519e535d7675d7be6b885e92ca

SHA256
a4bda009f74156b996aaf1811340fb8c5af276efd6af6d76b84292356d983f42

SHA512
f3bf209440ecbf2bc8d917b1591d068e5545e3063ed1f8cf06b4e915ca0b4aa8d088fc126844db1b4bd323477ad7c875627d23a321a13cd8854e8f1b4172ff0f

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
208KB

MD5
b3cf535ff38f6004144a6f856ca636e2

SHA1
99668089b070dfe469a56595bbbfe2b9add3c84d

SHA256
60240a943cf80c8d3cdb542ee0c085244b57e11e415189b00e5f514dd493b21b

SHA512
05e3688cd585ce2cd87e787d03793f6b4879ddadd0195cad19d06853d71b0381c4ada4fa2e30fbcc106c6582202be09e60af130774c01ea465ce9f36ed6a4197

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
208KB

MD5
c865e90366d7805f7a0bae70c31c914e

SHA1
12758720cc8c57f2d1daf4c25eed9def4cacee66

SHA256
3dcbf350464796aa0cecd5bd2ef5aa5c0c5ecbce504539f7c01cd32425047924

SHA512
9bf06e6cdc8ff75b573630893e5e9bcfabab847f6b560f84c390dd680f712da146219ff3c64c2614f5c1af7590d1452d336b590b3e7e992c5ada42bd84d62ce4

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
208KB

MD5
f0f74006773f912b3f0470a82b83dd89

SHA1
2ceb4f8f4d3638a3e5df13cd85c642d57bf32520

SHA256
2b1c6192650d5af3f66c45c5f1c80234803cb14f4a1bc315d446c1faf7a9d300

SHA512
9c9ac09debdda8ff18d326e61480d6d5e36a08446808eb4cd979cde39bc6ff0cbcc9327d720b288a7c21c4c31c448ccfff48a7f8ffa4f650cc54424f31122dc1

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
208KB

MD5
a0f161834d373c42b92d0d69d7a1d52a

SHA1
c434d4fc16f33dbd7cba79e8386db8c8249d7cf8

SHA256
cce17ad28c98562277e5b79b83aaa6a9acf2f5bc355bd0db311c17d1c6991d40

SHA512
aec3610ff9309d229d095af7c9ebb02fb7b8e7b1cb0851cf904f886fb0b4147054209dee1707e15db3d972b88fe072af9845a4c695a120ddc0cfe2f3c95a32df

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
208KB

MD5
f35466f6e95170ab6aee93123ad23c92

SHA1
423c3a19d64a178679507ebdf395172c7b285ada

SHA256
cf07efccac47256039d95e9dcecc7c073dacbd39b79a33e7bacabcbcfe4b5579

SHA512
d8c3d7d9e0dd39b7285402bf58e5f6d206f5e8c00a3e5c179f9ec741e1a05d0f5ca5f5f8b8965b235f9414c8b4fa213888a2f15162e26262d83e4c0d592db4ae

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
208KB

MD5
b0774ace3c98a91599582f03c0063c5c

SHA1
0a1f69d714ada663f8ec0e8abb113fa8b160d021

SHA256
46f2700bdcba58d2952799ca3395781a4e3bd4c1fe8848f2f54d489ddd12801a

SHA512
ef04263b0a7eaea7a940f8ddd919f0a755a546153a9b273534bbd7542a1993820f7a6cd092af6a6e1b20237fa78aed9d72ded60653dc9827d0f0ef8682925833

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
208KB

MD5
8d64460b6c34426f2881ab50942e7264

SHA1
288dfec58a2c7b1b854cf4d15c590daac93f85eb

SHA256
bae1af829b596a2a37d89d69462c1862d3d4499154f637fe42af79afe7f141f0

SHA512
d0237f6824526115e2581c00696419c7f8da0ea8712e0eeffbbefb857386b827b5e993322f7a5cff24c5ba1150446a21720fddcf905ee62a0c9d35831ab4d6cc

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
208KB

MD5
3a197a99fd4d540d1667fd094e9c0e3e

SHA1
7e4b776a530dab1e9b2714b3264977a044082102

SHA256
bcde1298bd71a65ae19ccb72b0e3b875241be176d7d4a41e6771077e39c466c8

SHA512
e500705b32fc3494794433a03477a885836aaf912c623393c9ac339e736388f77b56cca49074f58edf571e3f637132e334643b550a2defd134844ca4024d0513

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
208KB

MD5
9de346aaee8666e4fd6859d8a09bb090

SHA1
b5d90e03cd020ad40c54467557f59bcb3e2c50b8

SHA256
271e5d44c40cfe393c81869c9fb399a560ebcd87d0db70c9531bdb5b91b6b24f

SHA512
0d23db4e634ad9bd5defb47d730c6cdf9fdf90765bf841cbe6191a526b27f2a4efac898d184fc8861cd424974c8cf1ea022f8bb11ef4f16f2822d367795bfff0

Download Submit
C:\Windows\SysWOW64\Jnpfop32.exe

Filesize
208KB

MD5
7b6f6eea5f625fb2764411572c63035f

SHA1
a00f4f91d42ed3b096be6c36fcfff9b37d185b33

SHA256
4cc78c459abfa57990938cda0a8c700e22a96cf58e384b708789dd36bfbdac88

SHA512
a548ee904feaf5414399683243ba1e77bb1a0f36c1ecc92725f5b28662b948fa186918997de470da146537764bd778d2de3dae3e27e6992ec9a35650a04d1e4d

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
208KB

MD5
1f7178e497fd3990197c3a326a48ad46

SHA1
74b26a45645b73108cc52dd39f84723b0f4924fa

SHA256
0c4310c16dba46d9a56708a4c26e350101163813026e9e8ed149a505239ffb16

SHA512
a05360318363a5c6113f8539161406924ed90790f08b04adfae42ad393bc5a577446fc3d4211442c1ba2d2eab72e05aa2cfb1c8bbf08ffe0fe14c7ce59c1f1fd

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
208KB

MD5
3ba1eccd5119938a2bcf3d8a2e661b63

SHA1
fb2717977efb3fe598848c4e06451ab44f01f77f

SHA256
f5cc29343a2b64bb8883464ba2cf7bf5abc8f5bd81bb8f00f8837f3c409af840

SHA512
6824caeb1aaf439c8134e344fd5d5b1492990b13d3fc39d86d276025185f68e9d2e43b3953f3ac6a9b8393e415cbca6dd033c75a09d5572c4698e82573e3d864

Download Submit
C:\Windows\SysWOW64\Kghjhemo.exe

Filesize
208KB

MD5
2e5788f5cd4318421b00a9e2497fcddb

SHA1
2831fa339e09e73358b3f4fcf14d9f4ea0513015

SHA256
3555c42133699fd81d80c71c08022c977b4139096e83f2e784f16fcbdd833787

SHA512
556cc59c0925909b5975a81cadc1692232f27d53f472db7d13d3cdd36f7d1ff520f55deed075b677a90f849e6c2a771fa594b6fce9d13c7ea3a654a18bf2a671

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
208KB

MD5
ba4dab4a625a2cf1575a7b815ea6bef4

SHA1
3963304becfc859a9c1400375785987ffcd4b5bc

SHA256
8e22a81a2254067847c751f0f70f8681c0d49907680f70c7838e3f8e15be75bf

SHA512
64a0a32f7e4a3cf5e309965e765bf969bc19babb9d64fdd48aef3eabc3bacbae63815a03d597b5361748f7d8099bfa6695006f28414c14098197f3040e8f7ac5

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
208KB

MD5
e41dfbc88a5d7b896b24d3f4edfb7c54

SHA1
e509084a48b1dfe860cf42593ca757213e0b81d7

SHA256
36526ebf14a9fb93bd8af5fd129c9a4434f037edda9de7aa1193a21a6520ec34

SHA512
69a42cb19501816346ef949eb5ebdda90a94d52d21849c818fc4f5ac9d9c9b36a480071dd6f5f20d2f201a4c3bcc2985f66b37f928d71c8eb90e7c43befe8a6b

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
208KB

MD5
50b6d783a202aa70d8a30fba4de36de3

SHA1
f14801d5065252eff306a46d774186ed98552cf1

SHA256
27e6c16d845f7c38d0c82ee92fd0689ff8e92481e8e0e3971f2bd8609deb0a75

SHA512
f6ca8a8ef7c3c4b406940c03e17b15848ab6cb8f4dd88cfc229f058d49ecb36db8b2f19d1dc3ab8cbf00aff915352e718526273b5d9e5e6102eb8857b423c636

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
208KB

MD5
7bb5c5db2cd30d144bd9cbf2efd1e5ac

SHA1
e80966f7af41e228adbdd49377fc70ebf9e11ad6

SHA256
492e1f5456b3a1528ad0aeeff097daed1167d3bb192955ae1081715f2b8d12fa

SHA512
9967608867194156d95fe62d8a327c7caee476990b61750dfd6593723dfa9e701c1088fc8903fc18f7d3db2fd3ea372d3ced126216accbec51128b37a085688e

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
208KB

MD5
105ce806a1103b2d854e90cc77f3d71b

SHA1
08cba4e7fac760cae5458fcd78ce2f53def70198

SHA256
0b58c189e3c151a16099fb0156db9324a6bab6bd8eba1613f3b76d690048e7ec

SHA512
ed020f0c20d7f47daa7e950064780a9f24e234cb43e259389e27ee143e17c93dedc7be2ce6429d7af0d25f3fcfccc29410fd4219fbf3983bd9b1ba0e40a5bdf5

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
208KB

MD5
dbea95681e7b04c107819ef0fc7ef047

SHA1
dfd328c77bb2c0f4bbad42f40387dac1d2871934

SHA256
55f4d493a6aedf49bf82f21d6b49785169a56fd13568acf8b015e3b08fb5f660

SHA512
a6e8aeda3cc2e96faecacd077889916ff07da8004ed7c798e4f6bebd0da185b80102e144d6cc0aa0c8ffc4590a3269f66c969787bb59d2b197c804df3dd10aa7

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
208KB

MD5
2e96ea16bbcc8e60ead16a3ad6f20ba0

SHA1
2b9114194ed185d53ab65f68741bcaaaebe3242c

SHA256
24510c69586c26ad59c3e045b0a5641f07a5bec196fda2a1316a070c4018a204

SHA512
474410e847cbca451eff21ef35713beca21df396cfaf53fed5fb2f33dac2c7760ceacc5340feb81e39521251d51bd0fd5c39d5f543e4afab18cd800a3e36f6a1

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
208KB

MD5
dfc3e0e2b22043cd8885d2082eacf75d

SHA1
d29e389ae9d1399fadd6b3de177c0042fdea009b

SHA256
7f298c450d959cc2a886c99a727d0dc36d888c323eec5566277a121cec1159ac

SHA512
f78bf803c69afcd52b82c66d6d37164acc975506e7f07748cbf9c28f068e988b47fa3e8c5f7702a9d37015a5c4326ee276b673816d8a3a670f8ad44bc357a2e1

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
208KB

MD5
7534364e6e473c30babf71ff5c16b662

SHA1
4909473ca5b5bad2df960924abf752e58fb32fea

SHA256
eee5470f9ffb8a3709e299e2b2b5435a9a5afe4ab4c43b199bef6444e79539f8

SHA512
191ceaa368ac74d6b0cad60b85bfad627fd7c12d09f458c8462038954ad6614786d6e5dea2e0c17a9af098ce3b88528d06b4fb26e7a3b2d8c1865078358cb3b0

Download Submit
C:\Windows\SysWOW64\Lnpofnhk.exe

Filesize
208KB

MD5
dbc083d01e012ae5c099c68a73eaf62f

SHA1
fe80253778b12a1e3975cdc77890cc74e2df29d0

SHA256
c338dc63d50a6fe7a0b61c6cf6ff05b0217edfb5fb9f06aea0bc5af9e73e9a93

SHA512
72e5bd7dd47fdf303f83c8e45153871d10af41fc541e9a18fa4900125333cbffc1bfaebe367c1882f42a57164d634f3f9d53e5062456f587f5ae278080cf344e

Download Submit
C:\Windows\SysWOW64\Lpcqcc32.dll

Filesize
7KB

MD5
3043fc01daa2dd6660bd33e37cf71960

SHA1
63b7f6f889085b97dc9ed4292338ce1a0bea2cc8

SHA256
b9aa54482f41ac6f14fdcfdb3a05941640c283494d13ed52062a83e4282f682c

SHA512
2e81d718ffadbd19f84c710aa90ef84f5b283c8fd95f8e360d1ddca22fc49f584a29cbad68b7fb190d7f4920a32dce34dc130b8263dbdd3dc247136c16238425

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
208KB

MD5
68e2c32c8a3a46b643eaf2eb4288230b

SHA1
c7894173966e75c5dc5fd7305cfd453653a4adb4

SHA256
b0b9288345c574340cfb29a182b951d8bc0251859f37dc98164b92c050befa71

SHA512
3608ddbc083640082c80cbb34e2f2be320743cffe2d581a5ed144816c60452c7c5b11d4d0f85b5576386c736a467205543025ea261d6823fb1728bed0d062a58

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
208KB

MD5
38b1b80766bf3d429286670352682e4e

SHA1
65942b1fefd5a490b278726804789eaab74183ab

SHA256
74bfe71304e240009fa06c2cc2a0965f4156317f9ec30e61bf4780cda39cb413

SHA512
2005caaa774ac685113cd4f7b5d8bcbc05c08cacdf31b985e8b292f6bc4b5261efc5b534da4533c9ab7132a3e11a261439ef9bd6acc43e9e58f8b15fd1969898

Download Submit
C:\Windows\SysWOW64\Ngdfdmdi.exe

Filesize
64KB

MD5
6c9ec739d6905df1d6e4bec73d54e751

SHA1
19735f26cee9c2b6d5aa88d8ba4ee734c7e3c0a7

SHA256
719d8dce7897fb1563aa806519c9fecd2ce9c2a9fbda764b8bf5f2cd46aa5bf7

SHA512
e627d0a493ea9c4ba734752b9228ef741f017fdd59e89f2604ba059d31495544e04e8e4e3fcc143b68f81d36aae5532d4fc918b5c2b25e6efe0db95bb7c4a650

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
208KB

MD5
bdd0725ef773763fe6c20ccba86c993a

SHA1
40cf369f3eded210303854224197c27d5d18031d

SHA256
8e8a5829587249e461f244ca00625fda99baddce7b68750627ed6fe1624f1633

SHA512
6150cd4f6a969470c72c08b2e45466df5ac9286b3596ed84342a484ebf3e078d95774d511f79e3dca4a1c4102b99a61edd47b810f1cf1c4dce94bfc82f840cac

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
208KB

MD5
67281d39d7d723a518bad527e4789bdc

SHA1
052ea5a6afaa2c4e548d48cf8883eefd29cfb874

SHA256
d3ed30c28b4cd75ffb5463022e18d6058fa7edbf69b76b27caec5d441599336b

SHA512
5e7d64694fa97e0afcf649baca6961e010cbc59e03a64476eaedfe79f4997caef21f4303d49d4ff3011eb5b4dec5221f8def37b1aecd9384c0e6167316be72fa

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
208KB

MD5
3d71cd55a8c01c504e6f9c51d22e8635

SHA1
f509df4276876984a7c0186caf2d3aca60dca791

SHA256
89fb8c751cd9894374ed20aad4c15b863776566abc56aaac180b64dc4148778e

SHA512
0a23f49fcd6f28e9bec2e7267325382ef12ce1f44eff8548e81dc726743f138f4e1659ba6252fdd4c2021d21051c5a1cd4c19446975cf488fb04702a80ff60ee

Download Submit
C:\Windows\SysWOW64\Ookjdn32.exe

Filesize
208KB

MD5
aa680430bd338ec47531a68a797be77e

SHA1
6383961faeda86195749040cde681e1a8d4b561e

SHA256
a000d8725bcc0acae8d43c0a0b54b3f84a4e59071bbebf988fc3231a85c06de2

SHA512
3f0bad18b6bafafb66cbdb143db5bc2a3065ab4d4afb3118a83df1f383db506910a2900521179b6a92e2ec8784b79792b0931f72a88ad178b2d430189d217bb4

Download Submit
C:\Windows\SysWOW64\Qhonib32.exe

Filesize
208KB

MD5
04da055d351e858d9f86bb99b946256a

SHA1
c0c72d33c991759a21bc3e3194341a78e75c836b

SHA256
921d5f244f6284860e47d21969cbbb872eb6ea0becab2e2fa14561ce88d2e8fc

SHA512
6ac770e88347f1cec5ab3f5f9d4ba56287f20783f09464665c40328ffb7d6d4b87b70aa16578325aa12042e902e965b922fda67eca9eda1ba9ce0c68feffb1c9

Download Submit
C:\Windows\SysWOW64\Qkjgegae.exe

Filesize
208KB

MD5
7ada8201871135f4dc66a6d8d44c922f

SHA1
32954a0b868fe064a379a87f2764260f7abcea5b

SHA256
2614421f5b5516cf6f11f72a4baecb481b0942a55f59da55fea313f67f66ee78

SHA512
b6222d3b0175cea7615d6e73b5a16697e41cc1ae2018c97fde15d01310443ceea6201f7c95f6a559d5938fc1302e7aecabbffc78a23a409e5d884f039e18a95a

Download Submit
memory/232-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/684-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/944-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4124-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4916-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads