b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe
Size

76KB
MD5

eaa4fd8e46d73f687d43022327a8334e
SHA1

5de5a612ae1e2c5eb6df6c09592bd3e45b8149c6
SHA256

b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62
SHA512

782521251ee50fa364c629d0eb550b12caf79b3f6b4c90c12ea092350ca9839f66daf6cd813b0474faaa4ca86c13e8f1c8ff83fafaf0874b03b8d5ce51e8830f
SSDEEP

1536:KkkjsoWvXz+RJ6R9T76oifPtH8lR8HioQV+/eCeyvCQ:To4XzCJqh6oyFH8H8Hrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamapjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbolp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkhdqoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckclhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebgpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgopidgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oocmii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnjpfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hammhcij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pajeam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemmac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcomcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idahjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keifdpif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elgaeolp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhicpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomgjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnnnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfhad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nognnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmdhcddh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epndknin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epndknin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjaqpbkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihphkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdhiojo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcobaedj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqffjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcelmhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibfck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nognnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nemmoe32.exe

Executes dropped EXE 64 IoCs

pid	Process
2440	Hdlpneli.exe
4108	Hkhdqoac.exe
3076	Hbbmmi32.exe
1976	Hdpiid32.exe
1916	Hhnbpb32.exe
4784	Inkjhi32.exe
4956	Idebdcdo.exe
3980	Iokgal32.exe
3356	Ifdonfka.exe
4068	Ikaggmii.exe
4764	Inpccihl.exe
3112	Inbqhhfj.exe
1352	Ioambknl.exe
1240	Iijaka32.exe
4060	Jbbfdfkn.exe
2608	Jgonlm32.exe
1644	Jfpojead.exe
3332	Jkmgblok.exe
1576	Jbgoof32.exe
2572	Jkodhk32.exe
3652	Jnnpdg32.exe
452	Jehhaaci.exe
4988	Jgfdmlcm.exe
3960	Jblijebc.exe
4224	Jghabl32.exe
1436	Kelalp32.exe
2800	Kgknhl32.exe
4152	Keonap32.exe
1376	Klifnj32.exe
4800	Kfnkkb32.exe
676	Kbekqdjh.exe
2888	Klmpiiai.exe
5060	Kbghfc32.exe
3464	Lnnikdnj.exe
2192	Lfealaol.exe
3096	Lhfmdj32.exe
1176	Lemkcnaa.exe
1404	Llgcph32.exe
4892	Lflgmqhd.exe
2416	Lhncdi32.exe
5028	Lfodbqfa.exe
1792	Mbedga32.exe
548	Mhbmphjm.exe
1800	Molelb32.exe
2984	Mhdjehhj.exe
4244	Mbjnbqhp.exe
3604	Midfokpm.exe
4120	Moaogand.exe
4484	Mfhfhong.exe
1180	Mhicpg32.exe
4792	Mockmala.exe
1728	Niipjj32.exe
3100	Npchgdcd.exe
2072	Nbadcpbh.exe
2220	Npedmdab.exe
2548	Ngomin32.exe
776	Nchjdo32.exe
1428	Nlqomd32.exe
1148	Oeicejia.exe
1260	Ooagno32.exe
3576	Oekpkigo.exe
3124	Olehhc32.exe
2568	Ogklelna.exe
4268	Olgemcli.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adfokn32.dll	Geohklaa.exe
File created	C:\Windows\SysWOW64\Npkjmfie.dll	Pcobaedj.exe
File created	C:\Windows\SysWOW64\Dlkbjqgm.exe	Djjebh32.exe
File created	C:\Windows\SysWOW64\Akepfpcl.exe	Ahgcjddh.exe
File created	C:\Windows\SysWOW64\Mjlalkmd.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Niipjj32.exe	Mockmala.exe
File created	C:\Windows\SysWOW64\Okehmlqi.dll	Mmpmnl32.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Kpccmhdg.exe
File opened for modification	C:\Windows\SysWOW64\Bqkill32.exe	Bjaqpbkh.exe
File opened for modification	C:\Windows\SysWOW64\Ecefqnel.exe	Elnoopdj.exe
File created	C:\Windows\SysWOW64\Ljeafb32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Ehkljb32.dll	Ljaoeini.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Kheekkjl.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Eqiibjlj.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Idghpmnp.exe	Iqklon32.exe
File created	C:\Windows\SysWOW64\Ljkifn32.exe	Lijlof32.exe
File created	C:\Windows\SysWOW64\Mdeodj32.dll	Lkeekk32.exe
File opened for modification	C:\Windows\SysWOW64\Apjdikqd.exe	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Injmlc32.dll	Dmdhcddh.exe
File created	C:\Windows\SysWOW64\Cdnmfclj.exe	Cndeii32.exe
File created	C:\Windows\SysWOW64\Kjmejc32.dll	Dhgonidg.exe
File created	C:\Windows\SysWOW64\Nmiadaea.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Jpgdai32.exe	Jimldogg.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lcmodajm.exe
File opened for modification	C:\Windows\SysWOW64\Aqoiqn32.exe	Ajeadd32.exe
File created	C:\Windows\SysWOW64\Meiioonj.exe	Mmpdhboj.exe
File opened for modification	C:\Windows\SysWOW64\Gmafajfi.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Lhfmdj32.exe	Lfealaol.exe
File opened for modification	C:\Windows\SysWOW64\Aodfajaj.exe	Amfjeobf.exe
File created	C:\Windows\SysWOW64\Dmalne32.exe	Dcigeooj.exe
File created	C:\Windows\SysWOW64\Oekiqccc.exe	Okedcjcm.exe
File created	C:\Windows\SysWOW64\Odgpqgeo.dll	Madjhb32.exe
File created	C:\Windows\SysWOW64\Cmiogmig.dll	Fmkgkapm.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Nffaen32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Kodapf32.dll	Lknojl32.exe
File created	C:\Windows\SysWOW64\Olgncmim.exe	Oemefcap.exe
File created	C:\Windows\SysWOW64\Dqklch32.dll	Pekbga32.exe
File created	C:\Windows\SysWOW64\Cjecpkcg.exe	Bkdcbd32.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hldiinke.exe
File created	C:\Windows\SysWOW64\Hhiajmod.exe	Hjhalefe.exe
File created	C:\Windows\SysWOW64\Anbpqqmm.dll	Nobdbkhf.exe
File opened for modification	C:\Windows\SysWOW64\Abponp32.exe	Akffafgg.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Jghabl32.exe	Jblijebc.exe
File created	C:\Windows\SysWOW64\Higjaoci.exe	Hcmbee32.exe
File created	C:\Windows\SysWOW64\Cdbbdk32.dll	Higjaoci.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Mjjkaabc.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Mhghfqcd.dll	Jfpojead.exe
File created	C:\Windows\SysWOW64\Ajcdnd32.exe	Acilajpk.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	Johnamkm.exe
File created	C:\Windows\SysWOW64\Hjlkge32.exe	Hkjjlhle.exe
File created	C:\Windows\SysWOW64\Ogbdnipf.dll	Eejeiocj.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Opclldhj.exe
File opened for modification	C:\Windows\SysWOW64\Dkhgod32.exe	Dhikci32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmojd32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Iblbgn32.dll	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bpjmph32.exe
File opened for modification	C:\Windows\SysWOW64\Pkhjph32.exe	Phincl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10092	8876	WerFault.exe	1007

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkaicd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnqig32.dll"	Qhngolpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgjejhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafhkhce.dll"	Efccmidp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Embddb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdilnojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpeeehm.dll"	Oebflhaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiobodkp.dll"	Aqoiqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdoihpbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodbhp32.dll"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cllhoapg.dll"	Midfokpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkpeopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljilqnlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeddnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll"	Mmkkmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll"	Fefedmil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iibccgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moaogand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnnc32.dll"	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leenhhdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiioonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekodjiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll"	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giecfejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhncdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll"	Cmmbbejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbndfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll"	Ijegcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll"	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjnffjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lflgmqhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmmpfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhalefe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifdonfka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll"	Niakfbpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfhkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll"	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaqdegaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflaie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jghabl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccchof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll"	Jjmcnbdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkcfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll"	Nliaao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll"	Phcgcqab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2440	2880	b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe	88
PID 2880 wrote to memory of 2440	2880	b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe	88
PID 2880 wrote to memory of 2440	2880	b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe	88
PID 2440 wrote to memory of 4108	2440	Hdlpneli.exe	89
PID 2440 wrote to memory of 4108	2440	Hdlpneli.exe	89
PID 2440 wrote to memory of 4108	2440	Hdlpneli.exe	89
PID 4108 wrote to memory of 3076	4108	Hkhdqoac.exe	90
PID 4108 wrote to memory of 3076	4108	Hkhdqoac.exe	90
PID 4108 wrote to memory of 3076	4108	Hkhdqoac.exe	90
PID 3076 wrote to memory of 1976	3076	Hbbmmi32.exe	91
PID 3076 wrote to memory of 1976	3076	Hbbmmi32.exe	91
PID 3076 wrote to memory of 1976	3076	Hbbmmi32.exe	91
PID 1976 wrote to memory of 1916	1976	Hdpiid32.exe	92
PID 1976 wrote to memory of 1916	1976	Hdpiid32.exe	92
PID 1976 wrote to memory of 1916	1976	Hdpiid32.exe	92
PID 1916 wrote to memory of 4784	1916	Hhnbpb32.exe	93
PID 1916 wrote to memory of 4784	1916	Hhnbpb32.exe	93
PID 1916 wrote to memory of 4784	1916	Hhnbpb32.exe	93
PID 4784 wrote to memory of 4956	4784	Inkjhi32.exe	94
PID 4784 wrote to memory of 4956	4784	Inkjhi32.exe	94
PID 4784 wrote to memory of 4956	4784	Inkjhi32.exe	94
PID 4956 wrote to memory of 3980	4956	Idebdcdo.exe	95
PID 4956 wrote to memory of 3980	4956	Idebdcdo.exe	95
PID 4956 wrote to memory of 3980	4956	Idebdcdo.exe	95
PID 3980 wrote to memory of 3356	3980	Iokgal32.exe	96
PID 3980 wrote to memory of 3356	3980	Iokgal32.exe	96
PID 3980 wrote to memory of 3356	3980	Iokgal32.exe	96
PID 3356 wrote to memory of 4068	3356	Ifdonfka.exe	97
PID 3356 wrote to memory of 4068	3356	Ifdonfka.exe	97
PID 3356 wrote to memory of 4068	3356	Ifdonfka.exe	97
PID 4068 wrote to memory of 4764	4068	Ikaggmii.exe	98
PID 4068 wrote to memory of 4764	4068	Ikaggmii.exe	98
PID 4068 wrote to memory of 4764	4068	Ikaggmii.exe	98
PID 4764 wrote to memory of 3112	4764	Inpccihl.exe	99
PID 4764 wrote to memory of 3112	4764	Inpccihl.exe	99
PID 4764 wrote to memory of 3112	4764	Inpccihl.exe	99
PID 3112 wrote to memory of 1352	3112	Inbqhhfj.exe	100
PID 3112 wrote to memory of 1352	3112	Inbqhhfj.exe	100
PID 3112 wrote to memory of 1352	3112	Inbqhhfj.exe	100
PID 1352 wrote to memory of 1240	1352	Ioambknl.exe	101
PID 1352 wrote to memory of 1240	1352	Ioambknl.exe	101
PID 1352 wrote to memory of 1240	1352	Ioambknl.exe	101
PID 1240 wrote to memory of 4060	1240	Iijaka32.exe	102
PID 1240 wrote to memory of 4060	1240	Iijaka32.exe	102
PID 1240 wrote to memory of 4060	1240	Iijaka32.exe	102
PID 4060 wrote to memory of 2608	4060	Jbbfdfkn.exe	103
PID 4060 wrote to memory of 2608	4060	Jbbfdfkn.exe	103
PID 4060 wrote to memory of 2608	4060	Jbbfdfkn.exe	103
PID 2608 wrote to memory of 1644	2608	Jgonlm32.exe	104
PID 2608 wrote to memory of 1644	2608	Jgonlm32.exe	104
PID 2608 wrote to memory of 1644	2608	Jgonlm32.exe	104
PID 1644 wrote to memory of 3332	1644	Jfpojead.exe	105
PID 1644 wrote to memory of 3332	1644	Jfpojead.exe	105
PID 1644 wrote to memory of 3332	1644	Jfpojead.exe	105
PID 3332 wrote to memory of 1576	3332	Jkmgblok.exe	106
PID 3332 wrote to memory of 1576	3332	Jkmgblok.exe	106
PID 3332 wrote to memory of 1576	3332	Jkmgblok.exe	106
PID 1576 wrote to memory of 2572	1576	Jbgoof32.exe	108
PID 1576 wrote to memory of 2572	1576	Jbgoof32.exe	108
PID 1576 wrote to memory of 2572	1576	Jbgoof32.exe	108
PID 2572 wrote to memory of 3652	2572	Jkodhk32.exe	109
PID 2572 wrote to memory of 3652	2572	Jkodhk32.exe	109
PID 2572 wrote to memory of 3652	2572	Jkodhk32.exe	109
PID 3652 wrote to memory of 452	3652	Jnnpdg32.exe	110

C:\Users\Admin\AppData\Local\Temp\b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe
"C:\Users\Admin\AppData\Local\Temp\b1d58ed4824c5fa04e9a3c2d25111c98394ebe1428e78d374530aac4b074aa62.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Hdlpneli.exe
  C:\Windows\system32\Hdlpneli.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Hkhdqoac.exe
    C:\Windows\system32\Hkhdqoac.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\Hbbmmi32.exe
      C:\Windows\system32\Hbbmmi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Windows\SysWOW64\Hdpiid32.exe
        
        C:\Windows\system32\Hdpiid32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\Hhnbpb32.exe
        
        C:\Windows\system32\Hhnbpb32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Inkjhi32.exe
        
        C:\Windows\system32\Inkjhi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Idebdcdo.exe
        
        C:\Windows\system32\Idebdcdo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Iokgal32.exe
        
        C:\Windows\system32\Iokgal32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ifdonfka.exe
        
        C:\Windows\system32\Ifdonfka.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Ikaggmii.exe
        
        C:\Windows\system32\Ikaggmii.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Inbqhhfj.exe
        
        C:\Windows\system32\Inbqhhfj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Ioambknl.exe
        
        C:\Windows\system32\Ioambknl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Iijaka32.exe
        
        C:\Windows\system32\Iijaka32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Jbbfdfkn.exe
        
        C:\Windows\system32\Jbbfdfkn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Jgonlm32.exe
        
        C:\Windows\system32\Jgonlm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jfpojead.exe
        
        C:\Windows\system32\Jfpojead.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Jkmgblok.exe
        
        C:\Windows\system32\Jkmgblok.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Jbgoof32.exe
        
        C:\Windows\system32\Jbgoof32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Jnnpdg32.exe
        
        C:\Windows\system32\Jnnpdg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Jehhaaci.exe
        
        C:\Windows\system32\Jehhaaci.exe
        23⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Jgfdmlcm.exe
        
        C:\Windows\system32\Jgfdmlcm.exe
        24⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Jblijebc.exe
        
        C:\Windows\system32\Jblijebc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Jghabl32.exe
        
        C:\Windows\system32\Jghabl32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Kelalp32.exe
        
        C:\Windows\system32\Kelalp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Kgknhl32.exe
        
        C:\Windows\system32\Kgknhl32.exe
        28⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Keonap32.exe
        
        C:\Windows\system32\Keonap32.exe
        29⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Klifnj32.exe
        
        C:\Windows\system32\Klifnj32.exe
        30⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Kfnkkb32.exe
        
        C:\Windows\system32\Kfnkkb32.exe
        31⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Kbekqdjh.exe
        
        C:\Windows\system32\Kbekqdjh.exe
        32⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Klmpiiai.exe
        
        C:\Windows\system32\Klmpiiai.exe
        33⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Kbghfc32.exe
        
        C:\Windows\system32\Kbghfc32.exe
        34⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        35⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Lfealaol.exe
        
        C:\Windows\system32\Lfealaol.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Lhfmdj32.exe
        
        C:\Windows\system32\Lhfmdj32.exe
        37⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Lemkcnaa.exe
        
        C:\Windows\system32\Lemkcnaa.exe
        38⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Llgcph32.exe
        
        C:\Windows\system32\Llgcph32.exe
        39⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Lflgmqhd.exe
        
        C:\Windows\system32\Lflgmqhd.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Lhncdi32.exe
        
        C:\Windows\system32\Lhncdi32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Lfodbqfa.exe
        
        C:\Windows\system32\Lfodbqfa.exe
        42⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Mbedga32.exe
        
        C:\Windows\system32\Mbedga32.exe
        43⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Mhbmphjm.exe
        
        C:\Windows\system32\Mhbmphjm.exe
        44⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Molelb32.exe
        
        C:\Windows\system32\Molelb32.exe
        45⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Mhdjehhj.exe
        
        C:\Windows\system32\Mhdjehhj.exe
        46⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Mbjnbqhp.exe
        
        C:\Windows\system32\Mbjnbqhp.exe
        47⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Midfokpm.exe
        
        C:\Windows\system32\Midfokpm.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Moaogand.exe
        
        C:\Windows\system32\Moaogand.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Mfhfhong.exe
        
        C:\Windows\system32\Mfhfhong.exe
        50⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Mhicpg32.exe
        
        C:\Windows\system32\Mhicpg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Mockmala.exe
        
        C:\Windows\system32\Mockmala.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Niipjj32.exe
        
        C:\Windows\system32\Niipjj32.exe
        53⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Npchgdcd.exe
        
        C:\Windows\system32\Npchgdcd.exe
        54⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        55⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Npedmdab.exe
        
        C:\Windows\system32\Npedmdab.exe
        56⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Ngomin32.exe
        
        C:\Windows\system32\Ngomin32.exe
        57⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Nchjdo32.exe
        
        C:\Windows\system32\Nchjdo32.exe
        58⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Nlqomd32.exe
        
        C:\Windows\system32\Nlqomd32.exe
        59⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Oeicejia.exe
        
        C:\Windows\system32\Oeicejia.exe
        60⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Ooagno32.exe
        
        C:\Windows\system32\Ooagno32.exe
        61⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Oekpkigo.exe
        
        C:\Windows\system32\Oekpkigo.exe
        62⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Olehhc32.exe
        
        C:\Windows\system32\Olehhc32.exe
        63⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Ogklelna.exe
        
        C:\Windows\system32\Ogklelna.exe
        64⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Olgemcli.exe
        
        C:\Windows\system32\Olgemcli.exe
        65⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Ocamjm32.exe
        
        C:\Windows\system32\Ocamjm32.exe
        66⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Oepifi32.exe
        
        C:\Windows\system32\Oepifi32.exe
        67⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Ohnebd32.exe
        
        C:\Windows\system32\Ohnebd32.exe
        68⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Oebflhaf.exe
        
        C:\Windows\system32\Oebflhaf.exe
        69⤵
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ophjiaql.exe
        
        C:\Windows\system32\Ophjiaql.exe
        70⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Pgbbek32.exe
        
        C:\Windows\system32\Pgbbek32.exe
        71⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Phcomcng.exe
        
        C:\Windows\system32\Phcomcng.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1484
        
        C:\Windows\SysWOW64\Pomgjn32.exe
        
        C:\Windows\system32\Pomgjn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:656
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        74⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Plagcbdn.exe
        
        C:\Windows\system32\Plagcbdn.exe
        75⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        76⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        77⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Pjgebf32.exe
        
        C:\Windows\system32\Pjgebf32.exe
        78⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Podmkm32.exe
        
        C:\Windows\system32\Podmkm32.exe
        79⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Phlacbfm.exe
        
        C:\Windows\system32\Phlacbfm.exe
        80⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Pqcjepfo.exe
        
        C:\Windows\system32\Pqcjepfo.exe
        81⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Qgnbaj32.exe
        
        C:\Windows\system32\Qgnbaj32.exe
        82⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        83⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Qqffjo32.exe
        
        C:\Windows\system32\Qqffjo32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Qgpogili.exe
        
        C:\Windows\system32\Qgpogili.exe
        85⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        86⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Aokcklid.exe
        
        C:\Windows\system32\Aokcklid.exe
        87⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        88⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Ahchda32.exe
        
        C:\Windows\system32\Ahchda32.exe
        89⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Aqkpeopg.exe
        
        C:\Windows\system32\Aqkpeopg.exe
        90⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        91⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Ajcdnd32.exe
        
        C:\Windows\system32\Ajcdnd32.exe
        92⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ajeadd32.exe
        
        C:\Windows\system32\Ajeadd32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Aqoiqn32.exe
        
        C:\Windows\system32\Aqoiqn32.exe
        94⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Aflaie32.exe
        
        C:\Windows\system32\Aflaie32.exe
        95⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Amfjeobf.exe
        
        C:\Windows\system32\Amfjeobf.exe
        96⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        97⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Bqdblmhl.exe
        
        C:\Windows\system32\Bqdblmhl.exe
        99⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        100⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Biogppeg.exe
        
        C:\Windows\system32\Biogppeg.exe
        101⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Boipmj32.exe
        
        C:\Windows\system32\Boipmj32.exe
        102⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Bjodjb32.exe
        
        C:\Windows\system32\Bjodjb32.exe
        104⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Bmmpfn32.exe
        
        C:\Windows\system32\Bmmpfn32.exe
        105⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Boklbi32.exe
        
        C:\Windows\system32\Boklbi32.exe
        106⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Bgbdcgld.exe
        
        C:\Windows\system32\Bgbdcgld.exe
        107⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        109⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Bifmqo32.exe
        
        C:\Windows\system32\Bifmqo32.exe
        110⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Bppfmigl.exe
        
        C:\Windows\system32\Bppfmigl.exe
        111⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Bfjnjcni.exe
        
        C:\Windows\system32\Bfjnjcni.exe
        112⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cflkpblf.exe
        
        C:\Windows\system32\Cflkpblf.exe
        113⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        114⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Cabomkll.exe
        
        C:\Windows\system32\Cabomkll.exe
        115⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        116⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Cfogeb32.exe
        
        C:\Windows\system32\Cfogeb32.exe
        117⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Cmipblaq.exe
        
        C:\Windows\system32\Cmipblaq.exe
        118⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ccchof32.exe
        
        C:\Windows\system32\Ccchof32.exe
        119⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Cjmpkqqj.exe
        
        C:\Windows\system32\Cjmpkqqj.exe
        120⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Cpihcgoa.exe
        
        C:\Windows\system32\Cpihcgoa.exe
        121⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        122⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Cmniml32.exe
        
        C:\Windows\system32\Cmniml32.exe
        123⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Cpleig32.exe
        
        C:\Windows\system32\Cpleig32.exe
        124⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Cgcmjd32.exe
        
        C:\Windows\system32\Cgcmjd32.exe
        125⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Cjaifp32.exe
        
        C:\Windows\system32\Cjaifp32.exe
        126⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Dakacjdb.exe
        
        C:\Windows\system32\Dakacjdb.exe
        127⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        128⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Diffglam.exe
        
        C:\Windows\system32\Diffglam.exe
        129⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Dhhfedil.exe
        
        C:\Windows\system32\Dhhfedil.exe
        130⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        131⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Dpckjfgg.exe
        
        C:\Windows\system32\Dpckjfgg.exe
        132⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Dfmcfp32.exe
        
        C:\Windows\system32\Dfmcfp32.exe
        133⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        134⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Dinmhkke.exe
        
        C:\Windows\system32\Dinmhkke.exe
        135⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        136⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Dfamapjo.exe
        
        C:\Windows\system32\Dfamapjo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Epjajeqo.exe
        
        C:\Windows\system32\Epjajeqo.exe
        138⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        139⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Eibfck32.exe
        
        C:\Windows\system32\Eibfck32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Efffmo32.exe
        
        C:\Windows\system32\Efffmo32.exe
        141⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        142⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Epokedmj.exe
        
        C:\Windows\system32\Epokedmj.exe
        143⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Efhcbodf.exe
        
        C:\Windows\system32\Efhcbodf.exe
        144⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Eangpgcl.exe
        
        C:\Windows\system32\Eangpgcl.exe
        145⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        146⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Efkphnbd.exe
        
        C:\Windows\system32\Efkphnbd.exe
        147⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Eaqdegaj.exe
        
        C:\Windows\system32\Eaqdegaj.exe
        148⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        149⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        150⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        151⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        152⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Fmlneg32.exe
        
        C:\Windows\system32\Fmlneg32.exe
        153⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        154⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        155⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Fmnkkg32.exe
        
        C:\Windows\system32\Fmnkkg32.exe
        156⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Fhdohp32.exe
        
        C:\Windows\system32\Fhdohp32.exe
        157⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Fmqgpgoc.exe
        
        C:\Windows\system32\Fmqgpgoc.exe
        158⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ggilil32.exe
        
        C:\Windows\system32\Ggilil32.exe
        159⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Gaopfe32.exe
        
        C:\Windows\system32\Gaopfe32.exe
        160⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        161⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Gijekg32.exe
        
        C:\Windows\system32\Gijekg32.exe
        162⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        163⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        164⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        165⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Hdilnojp.exe
        
        C:\Windows\system32\Hdilnojp.exe
        166⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        167⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Hdkidohn.exe
        
        C:\Windows\system32\Hdkidohn.exe
        169⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Hjhalefe.exe
        
        C:\Windows\system32\Hjhalefe.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        171⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Hpdfnolo.exe
        
        C:\Windows\system32\Hpdfnolo.exe
        172⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Hhknpmma.exe
        
        C:\Windows\system32\Hhknpmma.exe
        173⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Hkjjlhle.exe
        
        C:\Windows\system32\Hkjjlhle.exe
        174⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Hjlkge32.exe
        
        C:\Windows\system32\Hjlkge32.exe
        175⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Igqkqiai.exe
        
        C:\Windows\system32\Igqkqiai.exe
        176⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Iafonaao.exe
        
        C:\Windows\system32\Iafonaao.exe
        177⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Igchfiof.exe
        
        C:\Windows\system32\Igchfiof.exe
        179⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Inmpcc32.exe
        
        C:\Windows\system32\Inmpcc32.exe
        180⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Iqklon32.exe
        
        C:\Windows\system32\Iqklon32.exe
        181⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        182⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        183⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ibmeoq32.exe
        
        C:\Windows\system32\Ibmeoq32.exe
        184⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        185⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Ihgnkkbd.exe
        
        C:\Windows\system32\Ihgnkkbd.exe
        186⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Ikejgf32.exe
        
        C:\Windows\system32\Ikejgf32.exe
        187⤵
        
        PID:560
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        188⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ibobdqid.exe
        
        C:\Windows\system32\Ibobdqid.exe
        189⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        190⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        191⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        192⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        193⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Jqglkmlj.exe
        
        C:\Windows\system32\Jqglkmlj.exe
        194⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Jhndljll.exe
        
        C:\Windows\system32\Jhndljll.exe
        195⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Jdedak32.exe
        
        C:\Windows\system32\Jdedak32.exe
        196⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Jjamia32.exe
        
        C:\Windows\system32\Jjamia32.exe
        197⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        198⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Jibmgi32.exe
        
        C:\Windows\system32\Jibmgi32.exe
        199⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        200⤵
        Modifies registry class
        
        PID:7564
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        201⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        202⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        203⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Kqpoakco.exe
        
        C:\Windows\system32\Kqpoakco.exe
        204⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Kiggbhda.exe
        
        C:\Windows\system32\Kiggbhda.exe
        205⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Kkfcndce.exe
        
        C:\Windows\system32\Kkfcndce.exe
        206⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Kbpkkn32.exe
        
        C:\Windows\system32\Kbpkkn32.exe
        207⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Kijchhbo.exe
        
        C:\Windows\system32\Kijchhbo.exe
        208⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Kjkpoq32.exe
        
        C:\Windows\system32\Kjkpoq32.exe
        209⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Kaehljpj.exe
        
        C:\Windows\system32\Kaehljpj.exe
        210⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Kgopidgf.exe
        
        C:\Windows\system32\Kgopidgf.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8020
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        212⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        213⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Kecabifp.exe
        
        C:\Windows\system32\Kecabifp.exe
        214⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        215⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Leenhhdn.exe
        
        C:\Windows\system32\Leenhhdn.exe
        216⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        217⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Lalnmiia.exe
        
        C:\Windows\system32\Lalnmiia.exe
        218⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        220⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        221⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Lejgch32.exe
        
        C:\Windows\system32\Lejgch32.exe
        222⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        223⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        224⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        225⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        226⤵
        Modifies registry class
        
        PID:7940
        
        C:\Windows\SysWOW64\Lbpdblmo.exe
        
        C:\Windows\system32\Lbpdblmo.exe
        227⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        228⤵
        Drops file in System32 directory
        
        PID:8080
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        229⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        230⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mlkepaam.exe
        
        C:\Windows\system32\Mlkepaam.exe
        231⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        232⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        233⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        234⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        235⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        236⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Majjng32.exe
        
        C:\Windows\system32\Majjng32.exe
        237⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Mhdckaeo.exe
        
        C:\Windows\system32\Mhdckaeo.exe
        238⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Mbighjdd.exe
        
        C:\Windows\system32\Mbighjdd.exe
        239⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Mehcdfch.exe
        
        C:\Windows\system32\Mehcdfch.exe
        240⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        241⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Mlbkap32.exe
        
        C:\Windows\system32\Mlbkap32.exe
        242⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Mnphmkji.exe
        
        C:\Windows\system32\Mnphmkji.exe
        243⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        244⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Mejpje32.exe
        
        C:\Windows\system32\Mejpje32.exe
        245⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Mhilfa32.exe
        
        C:\Windows\system32\Mhilfa32.exe
        246⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        247⤵
        Drops file in System32 directory
        
        PID:8216
        
        C:\Windows\SysWOW64\Naaqofgj.exe
        
        C:\Windows\system32\Naaqofgj.exe
        248⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Nemmoe32.exe
        
        C:\Windows\system32\Nemmoe32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8300
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        250⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Neoieenp.exe
        
        C:\Windows\system32\Neoieenp.exe
        251⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Nliaao32.exe
        
        C:\Windows\system32\Nliaao32.exe
        252⤵
        Modifies registry class
        
        PID:8436
        
        C:\Windows\SysWOW64\Nognnj32.exe
        
        C:\Windows\system32\Nognnj32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8480
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        254⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        255⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Nojjcj32.exe
        
        C:\Windows\system32\Nojjcj32.exe
        256⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        257⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Nhbolp32.exe
        
        C:\Windows\system32\Nhbolp32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8692
        
        C:\Windows\SysWOW64\Nolgijpk.exe
        
        C:\Windows\system32\Nolgijpk.exe
        259⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        260⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Niakfbpa.exe
        
        C:\Windows\system32\Niakfbpa.exe
        261⤵
        Modifies registry class
        
        PID:8824
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        262⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        263⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        264⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        265⤵
        Drops file in System32 directory
        
        PID:8996
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        266⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        267⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9116
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        269⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\Olgncmim.exe
        
        C:\Windows\system32\Olgncmim.exe
        270⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        271⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Oadfkdgd.exe
        
        C:\Windows\system32\Oadfkdgd.exe
        272⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        273⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        274⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        275⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        276⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        277⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        278⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Piphgq32.exe
        
        C:\Windows\system32\Piphgq32.exe
        279⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Plndcl32.exe
        
        C:\Windows\system32\Plndcl32.exe
        280⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        281⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        282⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Plpqil32.exe
        
        C:\Windows\system32\Plpqil32.exe
        283⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        284⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        285⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        286⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Pkenjh32.exe
        
        C:\Windows\system32\Pkenjh32.exe
        287⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        288⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Pekbga32.exe
        
        C:\Windows\system32\Pekbga32.exe
        289⤵
        Drops file in System32 directory
        
        PID:8628
        
        C:\Windows\SysWOW64\Phincl32.exe
        
        C:\Windows\system32\Phincl32.exe
        290⤵
        Drops file in System32 directory
        
        PID:8720
        
        C:\Windows\SysWOW64\Pkhjph32.exe
        
        C:\Windows\system32\Pkhjph32.exe
        291⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8976
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        293⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Qhlkilba.exe
        
        C:\Windows\system32\Qhlkilba.exe
        294⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Qkjgegae.exe
        
        C:\Windows\system32\Qkjgegae.exe
        295⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        296⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        297⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        298⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Qkmdkgob.exe
        
        C:\Windows\system32\Qkmdkgob.exe
        299⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        300⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        301⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Akoqpg32.exe
        
        C:\Windows\system32\Akoqpg32.exe
        302⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9208
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        304⤵
        Modifies registry class
        
        PID:8468
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        305⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        306⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Alqjpi32.exe
        
        C:\Windows\system32\Alqjpi32.exe
        307⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Ackbmcjl.exe
        
        C:\Windows\system32\Ackbmcjl.exe
        308⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\Afinioip.exe
        
        C:\Windows\system32\Afinioip.exe
        309⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        310⤵
        Modifies registry class
        
        PID:9332
        
        C:\Windows\SysWOW64\Akffafgg.exe
        
        C:\Windows\system32\Akffafgg.exe
        311⤵
        Drops file in System32 directory
        
        PID:9368
        
        C:\Windows\SysWOW64\Abponp32.exe
        
        C:\Windows\system32\Abponp32.exe
        312⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Ajggomog.exe
        
        C:\Windows\system32\Ajggomog.exe
        313⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        314⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        315⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        316⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Bbdhiojo.exe
        
        C:\Windows\system32\Bbdhiojo.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9632
        
        C:\Windows\SysWOW64\Bjlpjm32.exe
        
        C:\Windows\system32\Bjlpjm32.exe
        318⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\Bljlfh32.exe
        
        C:\Windows\system32\Bljlfh32.exe
        319⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\Bohibc32.exe
        
        C:\Windows\system32\Bohibc32.exe
        320⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        321⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        322⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        323⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Bjpjel32.exe
        
        C:\Windows\system32\Bjpjel32.exe
        324⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Bkafmd32.exe
        
        C:\Windows\system32\Bkafmd32.exe
        325⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\Bkdcbd32.exe
        
        C:\Windows\system32\Bkdcbd32.exe
        326⤵
        Drops file in System32 directory
        
        PID:10012
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        327⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Cmcolgbj.exe
        
        C:\Windows\system32\Cmcolgbj.exe
        328⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Cbphdn32.exe
        
        C:\Windows\system32\Cbphdn32.exe
        329⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Ckilmcgb.exe
        
        C:\Windows\system32\Ckilmcgb.exe
        330⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        331⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        332⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        333⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        334⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Cjnffjkl.exe
        
        C:\Windows\system32\Cjnffjkl.exe
        335⤵
        Modifies registry class
        
        PID:9404
        
        C:\Windows\SysWOW64\Cmmbbejp.exe
        
        C:\Windows\system32\Cmmbbejp.exe
        336⤵
        Modifies registry class
        
        PID:9488
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        337⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Dcigeooj.exe
        
        C:\Windows\system32\Dcigeooj.exe
        338⤵
        Drops file in System32 directory
        
        PID:9620
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        339⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        340⤵
        Modifies registry class
        
        PID:9760
        
        C:\Windows\SysWOW64\Dmdhcddh.exe
        
        C:\Windows\system32\Dmdhcddh.exe
        341⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9820
        
        C:\Windows\SysWOW64\Dcnqpo32.exe
        
        C:\Windows\system32\Dcnqpo32.exe
        342⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        343⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        344⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Djjebh32.exe
        
        C:\Windows\system32\Djjebh32.exe
        345⤵
        Drops file in System32 directory
        
        PID:9996
        
        C:\Windows\SysWOW64\Dlkbjqgm.exe
        
        C:\Windows\system32\Dlkbjqgm.exe
        346⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        347⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        348⤵
        Drops file in System32 directory
        
        PID:10200
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        349⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        350⤵
        Modifies registry class
        
        PID:9388
        
        C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        351⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        352⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        353⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        354⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        356⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        357⤵
        Modifies registry class
        
        PID:10048
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        358⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\Elgaeolp.exe
        
        C:\Windows\system32\Elgaeolp.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        360⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        361⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        362⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        363⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Fmkgkapm.exe
        
        C:\Windows\system32\Fmkgkapm.exe
        364⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Fpjcgm32.exe
        
        C:\Windows\system32\Fpjcgm32.exe
        365⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        366⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        367⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        368⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        369⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        370⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Hmnmgnoh.exe
        
        C:\Windows\system32\Hmnmgnoh.exe
        371⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        372⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Hdhedh32.exe
        
        C:\Windows\system32\Hdhedh32.exe
        373⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        374⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        375⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        376⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        377⤵
        Drops file in System32 directory
        
        PID:9428
        
        C:\Windows\SysWOW64\Hdmoohbo.exe
        
        C:\Windows\system32\Hdmoohbo.exe
        378⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        379⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        380⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        381⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2892
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        382⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        383⤵
        Modifies registry class
        
        PID:10088
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        384⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        385⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        386⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        387⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        388⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        389⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        390⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Kkpbin32.exe
        
        C:\Windows\system32\Kkpbin32.exe
        391⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        392⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        393⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        394⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Kdkdgchl.exe
        
        C:\Windows\system32\Kdkdgchl.exe
        395⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        396⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        397⤵
        Modifies registry class
        
        PID:10880
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        398⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        399⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        400⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Kqdaadln.exe
        
        C:\Windows\system32\Kqdaadln.exe
        401⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        402⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        403⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        404⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        405⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        406⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        407⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        408⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        409⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        410⤵
        Drops file in System32 directory
        
        PID:10508
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        411⤵
        Drops file in System32 directory
        
        PID:10576
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        412⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        413⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        414⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        415⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        416⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        417⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        418⤵
        Drops file in System32 directory
        
        PID:11068
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        419⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        420⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        421⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Mminhceb.exe
        
        C:\Windows\system32\Mminhceb.exe
        422⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        423⤵
        Drops file in System32 directory
        
        PID:10468
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        424⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        425⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        426⤵
        Modifies registry class
        
        PID:10764
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        427⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        428⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        429⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        430⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        431⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        432⤵
        Drops file in System32 directory
        
        PID:10488
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        433⤵
        Modifies registry class
        
        PID:10640
        
        C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        434⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        435⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        436⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        437⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        438⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        439⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        440⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        441⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        442⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        443⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        444⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        445⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        446⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        447⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        448⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        449⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        450⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        451⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11528
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        452⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        453⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        454⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        455⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        456⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        457⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Qmhlgmmm.exe
        
        C:\Windows\system32\Qmhlgmmm.exe
        458⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        459⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        460⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        461⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        462⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        463⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        464⤵
        Drops file in System32 directory
        
        PID:12092
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        465⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        466⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        467⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        468⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        469⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        470⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        471⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        472⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        473⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        474⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        475⤵
        
        PID:11684
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        476⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11772
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        477⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        478⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        479⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        480⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12044
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        481⤵
        Drops file in System32 directory
        
        PID:12088
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        482⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        483⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12216
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        484⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        485⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11312
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        486⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        487⤵
        Modifies registry class
        
        PID:11564
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        488⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        489⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        490⤵
        Modifies registry class
        
        PID:11900
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        491⤵
        Modifies registry class
        
        PID:11984
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        492⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        493⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        494⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11308
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        495⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        496⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11712
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        497⤵
        Modifies registry class
        
        PID:11884
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        498⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        499⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        500⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        501⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        502⤵
        Drops file in System32 directory
        
        PID:11988
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        503⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        504⤵
        Modifies registry class
        
        PID:11644
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        505⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        506⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        507⤵
        Drops file in System32 directory
        
        PID:11580
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        508⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        509⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        510⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        511⤵
        Drops file in System32 directory
        
        PID:12332
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        512⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        513⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        514⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        515⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        516⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        517⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        518⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        519⤵
        
        PID:12644
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        520⤵
        Modifies registry class
        
        PID:12684
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        521⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        522⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        523⤵
        Modifies registry class
        
        PID:12816
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        524⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        525⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        526⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        527⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        528⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        529⤵
        Modifies registry class
        
        PID:13064
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        530⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        531⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        532⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        533⤵
        Drops file in System32 directory
        
        PID:13236
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        534⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        535⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        536⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        537⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        538⤵
        Modifies registry class
        
        PID:12456
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        539⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        540⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        541⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        542⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        543⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        544⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12740
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        546⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        547⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        548⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        549⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4632
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        550⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        551⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        552⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        553⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        554⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        555⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        556⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        557⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10696
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        558⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        559⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        560⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        561⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        562⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        563⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        564⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        565⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        566⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        567⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        568⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        569⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        570⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12876
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        571⤵
        Drops file in System32 directory
        
        PID:12956
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        572⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        573⤵
        
        PID:13052
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        574⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        575⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4764
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        576⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:13232
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        577⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        578⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        579⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        580⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        581⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        582⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        583⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        584⤵
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        585⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        586⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        587⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        588⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        589⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        590⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        591⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        592⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        593⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        594⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        595⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        596⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        597⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        598⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        599⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        600⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        601⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4228
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        602⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        603⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        604⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        605⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        606⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        607⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        608⤵
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        609⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        610⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        611⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        612⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        613⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        614⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        615⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        616⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        617⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10980
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        618⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        619⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        620⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12640
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        621⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        622⤵
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        623⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        624⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        625⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        626⤵
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        627⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        628⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        629⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        630⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        631⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        632⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        633⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        634⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        635⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        636⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        637⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        638⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        639⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        640⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        641⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        642⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4548
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        643⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        644⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        645⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        646⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        647⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        648⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        649⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        650⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        651⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        652⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        653⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        654⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        655⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        656⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        657⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        658⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        659⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        660⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        661⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        662⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        663⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        664⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        665⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        666⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        667⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        668⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        669⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        670⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        671⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        672⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        673⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        674⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        675⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        676⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        677⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        678⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        679⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        680⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        681⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        682⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        683⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        684⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        685⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        686⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        687⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        688⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        689⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        690⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        691⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        692⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        693⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        694⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        695⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        696⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        697⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        698⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        699⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        700⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        701⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        702⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        703⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        704⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        705⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        706⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        707⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        708⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        709⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        710⤵
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        711⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        712⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        713⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        714⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        715⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        716⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        717⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        718⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        719⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        720⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        721⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        722⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        723⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        724⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        725⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        726⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        727⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        728⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        729⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        730⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        731⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        732⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        733⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        734⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        735⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        736⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        737⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        738⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        739⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        740⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        741⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7072
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        742⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        743⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        744⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        745⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        746⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        747⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        748⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        749⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        750⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        751⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        752⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        753⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        754⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        755⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        756⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        757⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        758⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        759⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        760⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        761⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        762⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        763⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        764⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        765⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        766⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        767⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        768⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        769⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        770⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        771⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        772⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        773⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        774⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        775⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        776⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        777⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        778⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        779⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        780⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        781⤵
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        782⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        783⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        784⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7532
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        785⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        786⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        787⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        788⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        789⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        790⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        791⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        792⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        793⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        794⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        795⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        796⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        797⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        798⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7876
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        799⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        800⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        801⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        802⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        803⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        804⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        805⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        806⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        807⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        808⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        809⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        810⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        811⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        812⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        813⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        814⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        815⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        816⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        817⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        818⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        819⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        820⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        821⤵
        Drops file in System32 directory
        
        PID:7612
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        822⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        823⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        824⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        825⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        826⤵
        Drops file in System32 directory
        
        PID:8704
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        827⤵
        Modifies registry class
        
        PID:8824
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        828⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        829⤵
        Drops file in System32 directory
        
        PID:8392
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        830⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        831⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        832⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        833⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        834⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        835⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        836⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        837⤵
        Modifies registry class
        
        PID:9116
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        838⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8460
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        839⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        840⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        841⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        842⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        843⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        844⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        845⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        846⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        847⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        848⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        849⤵
        Modifies registry class
        
        PID:8680
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        850⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        851⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        852⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        853⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        854⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7904
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        855⤵
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        856⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        857⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        858⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        859⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        860⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        861⤵
        Modifies registry class
        
        PID:8672
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        862⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        863⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        864⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        865⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        866⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        867⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        868⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        869⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        870⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        871⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        872⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        873⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8768
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        874⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        875⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        876⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        877⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        878⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        879⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        880⤵
        Drops file in System32 directory
        
        PID:9800
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        881⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        882⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        883⤵
        Drops file in System32 directory
        
        PID:8420
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        884⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        885⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        886⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        887⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        888⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        889⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9524
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        890⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        891⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        892⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        893⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        894⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        895⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        896⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        897⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        898⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        899⤵
        Modifies registry class
        
        PID:8744
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        900⤵
        Modifies registry class
        
        PID:9812
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        901⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        902⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        903⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        904⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        905⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        906⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        907⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8876 -s 400
        908⤵
        Program crash
        
        PID:10092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8876 -ip 8876
1⤵
PID:9032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
76KB

MD5
458fbbd2a26b419f24c15763902439f5

SHA1
b90485cbc8a60f68616372a2ccd1f661d1115b8a

SHA256
eed650f9c56311dd79f618f388858162d39301d03ed326da33d066d3cf5e83ad

SHA512
6db5ab812f64776cb365f53980dfb0f608ba77beb432566352c2a9371e2f8b01159c2d0c9a4f5bad92d783f7cbfca512877e00e5632b9037739880e7985fb924

Download Submit
C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
76KB

MD5
bc52654b1a5c54e99af894bd7641e8a1

SHA1
582b55bf5539ccc0efa6dd5ba375bf8d453aeec5

SHA256
287b1ed60e06bdbd600b45920e6638b4c51a7cbe4fef7e5f6bf8694798aaa638

SHA512
5a27aa47db05ec79ac80355c3500cd523768cf5b7b5e528118282efb844edbe0df15a291fee1c3305a84e829df2b6ccb6385939794775d5ed4cbfd71c5473da9

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
76KB

MD5
2b90d456c2b13a4851399b5d9c2ea84f

SHA1
a137d5bed3a66846b69494c87ca73f42cad2fc28

SHA256
278355741e0244c2f85184b39ca6ea217498f5af4d72f9ec5268b0417aed1401

SHA512
6d5f535071064da0a1d1c513954085ec6505492f9cd5f824c7d931f3b565ccd206ec5c83d4c4ba9800094559b189198ca82e261111a05fee63ad58e873259e40

Download Submit
C:\Windows\SysWOW64\Bkafmd32.exe

Filesize
76KB

MD5
d287087b6bb3a92718dd87b297fe9f76

SHA1
482c93ab1f14923fdb6ba30a573983c012756601

SHA256
6681933bc4aaba3f98d5fc4fbdb9fdf9907537e6547059f5c2b46684905ed314

SHA512
28e5812fdde0f4388035f246381d63b0f1be8dda075c8de7701c363b8e76124b10fbfc98e9618cf52f5fba504417097572231f1e0742457a535ad18aef5f3476

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
76KB

MD5
fe6452b7725a5f4d686bc301d57bbefb

SHA1
b703ef993655884d844fda72f75940cd86906261

SHA256
5aaf47e621f0513298d4f7ad64e4fcf4c93eac3bfa4c8563e256b85f0a459a71

SHA512
b4fdfd64db7582d5f5e794ce0154ff3968980f8f9fd8d48084c2719eedd99b398b5918f76b10fcf97552c17c314ac2a4b50b1adc9c8bf292f35e0b8e7ce420e7

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
76KB

MD5
e70663a5a60db9b9aeb6f134e86c4019

SHA1
72595fb91c375c394aafc42f11c3264f1e4864fe

SHA256
167838ead06ccfe9cb04bfafa3ed2a29fa6b0c06af0a922e88232325ab709c2b

SHA512
dae7d56fc0841b2b42ae3cfacd5c5e3c6d894f540cdcd8ce7b12c351b36f54387a0d3a321cb797376b97273ed8c45b6cb98a1d8d041a994d258608a3c498b201

Download Submit
C:\Windows\SysWOW64\Dmoohe32.exe

Filesize
76KB

MD5
17a0cb7266b570234a10b19aab32fd6f

SHA1
51ab86111924a0cc1d9ab1320ce36d1895e6c8f9

SHA256
695b2a73edc39fa2d95cb53bd864b9213a0079c236ec7ea18a417c7556276b09

SHA512
8ceb6c9385cf3ba03603024391828c1db80705e29aa6fbe45b68f2a25916e6dba905512458333db715d4ecd20158066e9fc4ce75cd5d5c032b5601805306e644

Download Submit
C:\Windows\SysWOW64\Elgaeolp.exe

Filesize
76KB

MD5
81a6bb70e68c526e406925fbbc6311b1

SHA1
ccfcd9c6be4c98f6c4fbd0d7a2257a96724f3e6e

SHA256
dfbad49e6f5a9f1f76cc142feb418e21dd2556ac36e469522c63a095d57e6964

SHA512
8dc4ed26064fba10fdd06476cca16feab58af142de065563fb733b4418b0e9cb49a185c6ea378c11f922e76b3855c2453517848046918253f9e8a6823ec690f2

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
76KB

MD5
17d75c1a698ff4aac29846475589df12

SHA1
a9f0ed3a015d9b00fb0b22ba0fec663211e7589d

SHA256
93b89bc06e49dacf6417258d78af822458f05486d657d559ea5e17ed112adda1

SHA512
5bacc9c51f111e610066304a85087bbbb7139ab83000f8c43f7d9b3f135f89c2ac30f737ba66b7f667284b0521d70677f8f73042a5db8f1c1f969e49ce956438

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
76KB

MD5
011ba1816bf2cd8188d23621bc115664

SHA1
610a5e0e417e1b03976bf95b0c6b63e340b94ace

SHA256
3b49b695b58f2b9a5597a5c994d9fc5b41a96eac0488a8f6128ca8b3b8303a3d

SHA512
ff080efa41cb2255a5e190051242084f5c441b7811b2361f342871173b84dde0e6ae14121ad77d8d289d34613f031a0c74f4eaaa8c35a1bcf73fade45c853452

Download Submit
C:\Windows\SysWOW64\Fhmigagd.exe

Filesize
76KB

MD5
0be2a8aa173aefc586e39a3bd6654aac

SHA1
5b8e897e98e3b584ec04aa5079c6d849d82123ff

SHA256
0fb9a605f83dc15d8f2f100ff19e74baa48eed3ff1fd2cc1c4d302f55d9e9bd1

SHA512
44f4ef032583d3a086b5226ccd79f53be87f521a16b96203b075946c0c51bd89b0b9d6db5d6d459e9951a39209647b2746dbae3d3c28869e119c72710b699230

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
76KB

MD5
f62e9993883837df358dc926f5ae56cc

SHA1
af4d0a58b0172b5b63a756e4d6d0c0771c2e9402

SHA256
416e22980c6c0b9edf8fda1f8bafde2b6a78cf8b7031e7961a6c4958fbdf79b5

SHA512
1cb26a767e8bb35ee537bb74bfa82593e778be22f16e2508fe6a7b467e5a80aa150e525d10379b3820523e05f14f2b14738fa5558bc72fe8ea327214f69bfcd9

Download Submit
C:\Windows\SysWOW64\Gbdoof32.exe

Filesize
76KB

MD5
871bea28065ace2b8f279a863d38bfb5

SHA1
8fd4142098c33f870972a659a32ac7a0999f823a

SHA256
faa5d11f1a962f578f7d5e5ff1624b8a9f1deed96bf7983d566b64c86b22239a

SHA512
e5abed09190dd712f929a5fbeb629b20e0035f54eeca806986e952236822ec56bcb0317e926693004210f03bff0159f2dfcff74c75bf7dfd3e77bad85fbc420f

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
76KB

MD5
b0fb45eb27349afa9cbb8b0c214b593f

SHA1
e5c48dd412e42a23f7b57c2849130b557e5295b2

SHA256
c2819fce34e03b6f31016975f78228b5c4a24a9640a04aaf19c3b1cd72e5e629

SHA512
fb0e4ddcef4eb82e589d89cca5179eb7d93332dc544b7a3ba57ec494158c9db45683a506c2e2e52cbb5d9116d860dd42239d755eedbb60ee15ad874208b48d51

Download Submit
C:\Windows\SysWOW64\Hbbmmi32.exe

Filesize
76KB

MD5
5660292ec3b0c947ef3c8d3ce6058199

SHA1
9be4d21423e4f119ca60ba95c13d17f38452c456

SHA256
bde9c6234c72519f3c65fea40d916c59c8708d5253678188d237552a0ebc3ed1

SHA512
87a3c4faf70cd3de4b40118e3541e5a9e73732c4cf30ce6cb60fd6001468d1b046cf6e1deeda99c55cbaa2cd0ab252d1ef875406762fb982e0d37dfef4dea0de

Download Submit
C:\Windows\SysWOW64\Hdlpneli.exe

Filesize
76KB

MD5
eab053a94276959b64ab1bced433d56c

SHA1
2f3127067dcf9cec08fc85621500372d76185e40

SHA256
0646e08cd161d0b23b889adef4972c15b0ac5966e620370e43815f935b2aa7c0

SHA512
c2c5a903252dd74b1004538ce6f85a8d0077ab9a595ce14d1f24f55c59989e1ee56541cb5a5d9a589faa7e83959719b8d935a430639cf427bfb87d8454bbb349

Download Submit
C:\Windows\SysWOW64\Hdpiid32.exe

Filesize
76KB

MD5
4e2d201b18926fc3ac29aefce6223c3a

SHA1
641222813f797edc494f4b1e8e40758965ea2669

SHA256
860226bfe2433118e1f1214a0ed31d59b82f8615352e56eee60569b62ae0a381

SHA512
21749d56fa3ea8dc5fc340d40f62179ba24b8fd60f279d3528c8d8614b948a283ad68732c1db4bbd54f7e6cc91cc1efd0f17d2e290a287fdaf8a06562109621b

Download Submit
C:\Windows\SysWOW64\Hhnbpb32.exe

Filesize
76KB

MD5
c92419ee897c68db1188de1c5bbbcb34

SHA1
cc2cd2dcf2e798680a3f66a9f559072d0e8f1643

SHA256
1b5077a875922148314cb5f7cda14b5f10b4ace892d342bf5fc30311c40292b3

SHA512
580699ca8dd94b8cbb6068859734850b9f05d47c997f8fb7173a69fc7dbf9a87170c81ed6de2eb991f1e662f148f2303c86d9a1124db01cf58a8ba075576157c

Download Submit
C:\Windows\SysWOW64\Hkhdqoac.exe

Filesize
76KB

MD5
85e439ca96d397929810ee0ba5733b8c

SHA1
fbcd2176b1b087d9687594406ff2717e3e3a1b33

SHA256
3ed2435d4564ca709e97a98bb2d9f21c7f84a89c2340b5d8e05d8fa9c72dfbbf

SHA512
a523098e71c9681a28fd8dac48a0d8af78f0b2a8a42afff09235703e3320585088e53e402cbcba14eceb9b45f6fdd7eee3a1b57cf3a731c6ea3955cf391e3e0d

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

Filesize
76KB

MD5
a4e3cc298646df606bdfaabfd1b53714

SHA1
684589428b3c64e11d5151aba3e1b898bdb864ca

SHA256
50aeecc6d11484e1186d3e4e8fd3360287eb4553cef1c0d56833ab576fa6f1d6

SHA512
f4c890693c359a7fed690aba4cd39b1869fd1270c85369860de512ca2b729c8366f4d275777a763d24f7e4b34b298d6f9b26040feb53f4b52c83b026683afb03

Download Submit
C:\Windows\SysWOW64\Idebdcdo.exe

Filesize
44KB

MD5
1b5a473e21ddd781a80ab1b9c05f3479

SHA1
f7bcdf5f37aea73c532b219208904e2b526740eb

SHA256
6dca87a64fd48a181993cdc5853d2233c73a53ba7900d6194f6048a3e3bc19f9

SHA512
5a49cadd607ee42ed534735920ee684e5bd21820dc0c3e50d0c8183c4acb7767a2ae2d639734e0fa981ca4f090792822138e3feafab08139c2d5a278347879e8

Download Submit
C:\Windows\SysWOW64\Idebdcdo.exe

Filesize
76KB

MD5
17458f62ad23d1378df46f44fa0ce612

SHA1
4876631ae1d4bf8a0902126cf3c2c7134a97da2d

SHA256
912a376c09ce91f3e33132b77598768b17d1d83f76e83330a9a6504e5a7d2d7e

SHA512
ee32a7483d543dea87abf98afe374e8270a7c085da64ceefaab911a1b6dceca5081de4f7913779f18e7f9e4cb1db8d35a72c1e89f80934b841bc13b86795fecd

Download Submit
C:\Windows\SysWOW64\Ifdonfka.exe

Filesize
76KB

MD5
450c7d47af32fbd18310d4bc82af6463

SHA1
5abfc6a1b84136971a363425f297f0f0feb09eb2

SHA256
91a1e744b67dba95106cfd9afd980e2ef9091ed84d62d2a8c059b6443380c940

SHA512
ad2c2af159d2b1062084b93ba53ee53a4375d42dda02b5bf709fdad4bc92521c873f32ae57828466cf201b6bb4bea4b4d3310019efc3441a0717a728e768c260

Download Submit
C:\Windows\SysWOW64\Igqkqiai.exe

Filesize
76KB

MD5
395b7c842806d45caa5128ae298f9747

SHA1
eaa0d7679ed71965e00c3871ea74c6711db658c1

SHA256
25ef11bd466507eb5633b57cb5168699fad5d24419270ba0157856bbe63cd00f

SHA512
888afbfd11e4f18114ee0af6c76475ea499a874597791284bf803b7429c2de2fc448fb6627e9d9b234e1480d72045587c475b0c780e38cb1807c528dabd5ecb5

Download Submit
C:\Windows\SysWOW64\Iijaka32.exe

Filesize
76KB

MD5
6a3dc5db35e9c9a94352147e0df349dc

SHA1
8113c85dcbadad71d939592b99d54854367370de

SHA256
74a098fac01d124e850125d8ebb7f2269785cac1fe0a16c8976c09b5a26c37ec

SHA512
9a22df5fcaa5cb3c02362f8e29487f22d25f996eca4b585e96e57a383a2daf01f7c56b4a0887302999dd7c1443a5fa596ea95a75f0e16199ba0b6dbdae70f5c1

Download Submit
C:\Windows\SysWOW64\Ikaggmii.exe

Filesize
76KB

MD5
0fafc5b639142d6009c73ffde887fc53

SHA1
a4311b8815a78a40d3c5b774f8a58a6d87f2daf4

SHA256
1e69e70ddf64b30080f6e0edecb30c3cba592041045371ec8da448698035ad65

SHA512
c8bc8d3c75a0b9fbec9857113f0c516b48d740c0e4ea16058f649e7f07b8229f821ee2e637da6d96f46bcf68a2df63ded9e53b630b92e663081f0289976abc2e

Download Submit
C:\Windows\SysWOW64\Inbqhhfj.exe

Filesize
76KB

MD5
1a466f5102320a99b482bd3e6bab3cf9

SHA1
eb59f53909c5aa6ad21d7d11e4345efc0ab5e883

SHA256
ba915cbbf944a85368f10d8f3a662cabc20328a9939b1275506b93a17bb1de48

SHA512
f78b9da3a7a3a5dbc556fe5aa9099e9c6eb0465b5b16874f72b075e31f32f0f024f310f883fa7560228f77eddc191b1e0a0e0bd7fab188a42aeaacc133ddc514

Download Submit
C:\Windows\SysWOW64\Inkjhi32.exe

Filesize
76KB

MD5
e268b50f4aa0b982588d635e76101612

SHA1
4297c11f6b62c4c6586cc3e7180693e060768b01

SHA256
a78711abe9f2d2231055f02198878c2aabe8d2e68b820ff2d426e5086ceaae80

SHA512
f481e494fbef333239fc0bdfb233eec021dbade489d1c93a7e35b10d5e6d10c0079f1798cb6564a836e4fc074b87ce37b5beff5d4c13abd041b260df8c68e9a9

Download Submit
C:\Windows\SysWOW64\Inpccihl.exe

Filesize
76KB

MD5
e28b21f2e76fb9148e792b62cae00a7d

SHA1
e37d07c625e81c5280956392eee87c1eb763031e

SHA256
0d1c7d799d21f65f68e94fb6465107c36ecfd5eb41412d33a30deaf37c31dffc

SHA512
57fae53d8ed097bd9e617cd3d86a9e1d12a4761028ebcff64b42aea21774a67ebc6481e99721b0a3766b413bbc0a107327292941bcefc842fb860c6f0207dbc0

Download Submit
C:\Windows\SysWOW64\Ioambknl.exe

Filesize
76KB

MD5
0fbaed9e2bc819babd7b3c773996d3db

SHA1
ef9c53dfa565be2703f69421a791a25af506e225

SHA256
555c1fe61de01e51e5fd1a0e098eb7c72699dd96e5e6acf043b146e1fbdf449c

SHA512
e37ab560052eaf169e924b75c7aa6ea6924314b9b242d80e672471e6117ba43032edd80890953cf40dcd8bb2d5ae3b3f527dc5fded82599d3ae94e97d0f8ba03

Download Submit
C:\Windows\SysWOW64\Iokgal32.exe

Filesize
76KB

MD5
95413f1965f6a5fb98028e5a633d2e15

SHA1
5d34d066c1ec726241e5725ad461562dc9300f2b

SHA256
dcee63ccab6e297d5eef39c5efcf7ee59d2c2402b15aabc64e93ca148124d718

SHA512
e737013022d22577ef3d5fb8072ce9580857ab1efccce134fde27f6f6f8e313a5268db3701b66db2040ba7de01903da19600296106699db2fe06e0009cb2b511

Download Submit
C:\Windows\SysWOW64\Jbbfdfkn.exe

Filesize
76KB

MD5
d003ebceed2dfc281a8b047f0a2d0377

SHA1
ad28f1123e212631c229dfdbd590411ed35ed1ca

SHA256
82d02af0d602418fc0c99eac9b69121e42fb93cb95ac9fc47318616add71eb53

SHA512
39b5f4c3e3f492ec9d156b1bac8814f146da8e12d305a64f305b2205a0b52f8d0773671529b083d80367d652db2af450ebfcd3a069ec4f5a88f64eec75ff002c

Download Submit
C:\Windows\SysWOW64\Jbgoof32.exe

Filesize
76KB

MD5
a57c432c5d3228bbbad102efd5a23e35

SHA1
cc2d3270bd900a10731e8b2f6a8ac4dc4d963aa3

SHA256
b253ab61b67377f7706092cb0e9fac911b108db7147c72407feee740dcdc79d0

SHA512
c383e7fbf19fb42932ffc05fa1cb1c34606747f4959d7e178e0ed4ea0a554f5e4e1a805a434d5eed96eeae8d74200cc08c3a31468c70b078753a1dd871986a27

Download Submit
C:\Windows\SysWOW64\Jblijebc.exe

Filesize
76KB

MD5
7b128c45d921bf594e0d15f4eebc5747

SHA1
6a4a9432b25e0b81a026794685eeb722af0f56ab

SHA256
a8d1ac67250ca004083bfd642725cc9761d54ecc3db9d84f43ce3b261b1468e3

SHA512
a182ce59109aca5df68c2022dd545f640389ed125be7309173e02b3a7d0581f6d032dc932d6ba0d3f9da5076c1a9781303dec9e855080ce104fd25a53ebf8317

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
76KB

MD5
7dbfca0e00b84239cde294241dda0e58

SHA1
f9dc1cc30efd9022b7812768a901ac6476935271

SHA256
08ebb69269e4ed966615818cb149afa94fef9f1a44bc8426a315b1fd59e466c2

SHA512
9ed5a014c0d8c6ad31ac0fcdbb81f59e435dae4683b6ed1501995d8f1e7aa035b301b1463317102c310f6f41972f20634effd78a9d1b26ecdb41159e31959c12

Download Submit
C:\Windows\SysWOW64\Jehhaaci.exe

Filesize
76KB

MD5
8009f96c69c037b9e7a587e19dd3c1df

SHA1
4abc301cd91fff38a31f677505269edf217e8df5

SHA256
4a1abbe3a144af25631fb63c7721f1a472ecb710b31073d81e38c8e250e5e057

SHA512
adf63605b83afc242f29da192522ffdc866a9ccd724a8cfbb14444fb3e2f5c64733ce03305caa3346f092b0f94f394416313f9de87483e7c141525d49dfcc447

Download Submit
C:\Windows\SysWOW64\Jfpojead.exe

Filesize
76KB

MD5
e4e9b2be9c03e2d26cda9306d81a728b

SHA1
976f6eea333ddb69f87893e56d070844571d5662

SHA256
69d50aa0e659006c70eda02a9543d99db872905036bf08ec4f833a77deca0d87

SHA512
5c01a882edfd00349a909a47c28f613e83d9e27b6c76088b15a8cf1a3bdfd2f48b2c61596068ebaf6b11e26b1cfe9e0ff8db3ed74b3a74d5f7f0046050dc8ad0

Download Submit
C:\Windows\SysWOW64\Jgfdmlcm.exe

Filesize
76KB

MD5
92d5e08de4f8fc2cbedb2840e56dc8bd

SHA1
9e9bdee3daf1aeef641ad27f9383c884b00c90ec

SHA256
24347ea06c2f424d22017f5bb8fbe5ef3f55a60850d0328049ae0cd0b4571519

SHA512
67351a2add4b3879ab4b708e481ee140504c603dfdb4aa4eece07edf00f5c441051631f35369bf10dab65c4405dbf32e78fc53671c51b6ff68e89d951c2b3cf2

Download Submit
C:\Windows\SysWOW64\Jghabl32.exe

Filesize
76KB

MD5
af8edda60546da647b64bfbcf6780653

SHA1
4b102a95d22f460d2ff52951c1169852a994361d

SHA256
60db1c8c0db11efe96274f8b6f518ffa02c32ad301105066b593c868317c7cee

SHA512
2576e54d0c72df8af7df1042173b36d7632a39b7b3ba7a74febaa0b1bf510694db972d26f46a83392a58ccf9df11dd6177ef2b3ab6b5790d64515cf25cd2a836

Download Submit
C:\Windows\SysWOW64\Jgonlm32.exe

Filesize
76KB

MD5
5fb1329eebe9d8224c24b1a242887995

SHA1
5dceb93400a7bb6b4944296599b4a31fb03919e3

SHA256
303451d6108e4a961c5e5ce1ac20006e55fbea017dde3de7134f2addcba0117c

SHA512
86524e02d75bc5d1740e1914f4378efc9b5d0df4518573ca357d2a69c88d4e86c591ee629fd2fdfe241446e7b1e74ab8ac57feea6e2b54998fa8885cb7e575df

Download Submit
C:\Windows\SysWOW64\Jkmgblok.exe

Filesize
76KB

MD5
1a510c1715fa28a3a7ceb46b40fdccb0

SHA1
c33b7a52767d3483c8ea3d3af33611886f121784

SHA256
4f2437c8503069b527c48439933e8e00c6baa5a677b3c5b29c6f8a4e2e980d0c

SHA512
2779eda1c7bbe352810e9c124bc1088034828980484d8893c66c188f7235ddfc4798f7342094d9225c0b0d8d73d3f7e9cf867c6ceb69c7897dc8062e29ac61cc

Download Submit
C:\Windows\SysWOW64\Jkodhk32.exe

Filesize
76KB

MD5
21714b286d6b265a80793f9692a373f5

SHA1
851565ced5476f8d67c67df4f6ac28031b56d311

SHA256
4ccc611ff335c69b85559f2397b6046ac859d545fc1f52bfdcc048d600f5dc5d

SHA512
952b93449f31ea7855e51a5765cd45b4866f63ffbd6e60fbe8d0f32b06e9af36c42ab74ffdbccc3086752cd858025850080cf2e3866eeaaed303c165d958b65b

Download Submit
C:\Windows\SysWOW64\Jlhljhbg.exe

Filesize
76KB

MD5
fa026d8e9fc301f3fac30a7d5de187ad

SHA1
f8c4545924e674434e330ef5fc206f1c0906e2c0

SHA256
e521f93165cb392ff79de9ce00748d5f7b8fb51a54d34d0f679c9ad9b0a05d68

SHA512
1a7363838f347a3cdcc1a150a3ae10d17c31ea02bc66205dd7abcdd7faefe2ac38e001bf1686c90e95675f989c259bff11dc0efbd52e066383bcebc2ae8a791d

Download Submit
C:\Windows\SysWOW64\Jnnpdg32.exe

Filesize
76KB

MD5
658f3a2b56fcc024fdbb9ffbc858a096

SHA1
306cf62980534709214e6929d7297aba81e66ed8

SHA256
3bd6893f246b1faba27d1a5fd80e86c5813f4a15f09475b4e7996e5172eb4fa6

SHA512
2103d9b7158de2b8be711ca6d37c53caf4a81096ad2586632cd6b543e71aaf12de8956409732b4b19f9da79700452625a28c7603c943c8806999f39951daa8df

Download Submit
C:\Windows\SysWOW64\Kbekqdjh.exe

Filesize
76KB

MD5
e7418c604399b0d856abda7c0c473c57

SHA1
9036ae4aa790b3f002abd338dad8fa095f5767b0

SHA256
167f06e93ae2a805bb8d6e591f05140a2e76cd6aa90677928d557a0a5173cafb

SHA512
7116793ad195368069319e0f4bd781ade350019bc11c2195e7f280db6fc9c06bd114ad1f35de6f9848acc3b8df0341eb83f69f1f5a769b18de3ffc1ca733b1ec

Download Submit
C:\Windows\SysWOW64\Kelalp32.exe

Filesize
76KB

MD5
8683b95b3ca092cfef244454e2e73c93

SHA1
a4162e68f985f815cef326069438e22eaefa970d

SHA256
6ac5943a483d15a6eaa2c6fa341e95181a0bfb3d28d935284de9d9934e91dfb9

SHA512
2e43b273ede77df49374e075491dcaccf53e2fc8a09c2c21a5db37cfe4dbc820724a0fe247fc2444a95145fef2ad4b4db063a393a16aaa16905d33ffdbc39fa2

Download Submit
C:\Windows\SysWOW64\Keonap32.exe

Filesize
76KB

MD5
6ff8a150f79332a005729e31f3d4aa62

SHA1
77fd6b015dca054893cfc5981c2c4c459861c92d

SHA256
307c751e570f0cfba998ea3914b90296003e6042c419609b6aa2ab90355d1d4e

SHA512
2a60b58c7bfbf9b6552d1709c81a98f2d7c5604b49f606abfd93cf7f5dc3e5c822c3cd419c99d1a8c0e20c15d4eef42932a101f910e58ca334871e20482785cb

Download Submit
C:\Windows\SysWOW64\Kfnkkb32.exe

Filesize
76KB

MD5
a5fc44a9aa788beeef061f948b8ea307

SHA1
d6c8e686cd9f74f52f166a625fb9d6329dbd291d

SHA256
a981be694cb963bcef450e89369d819af2e1e0c4280663d3b31ad81fb3667886

SHA512
fabb0f979c19f028f8b776159f58a919420066aec98220211378049c7013b5c76326f5cec97c2c21d5d16c3b7148d9620bebe8ade19702ec2a39466d47e1701d

Download Submit
C:\Windows\SysWOW64\Kgknhl32.exe

Filesize
76KB

MD5
ff010ad0563f3896d3de132bae9e9dcd

SHA1
0855117402379049ff444fda2640f46595518f7f

SHA256
ab88acd5247a1adecc51a7bdb58f21939f62445dd9eda428dab27f95cd09e1a4

SHA512
9135be6e4274ac58d0b2fa13795bc9527841ef90d0aeb9e436e0876611d9054cacee6e2f7c0622d87df7b27897a851b69d295cca31d1c6adba8c9e58679fd02c

Download Submit
C:\Windows\SysWOW64\Klifnj32.exe

Filesize
76KB

MD5
03f8c21e6acda1ab1dea0fd98282f873

SHA1
ab63948124e8c4874e4c8281d110796b4debca69

SHA256
91243639c9f960de375f6d74612b54fa53804402109cce0167bcdfee5f2851b7

SHA512
3a34477e82896faaec536c5691e956adb47a7ea699f1e558e42aaa3149f6e1a937d85a45eeb87413e4d28ee18a43c5bac097a11d3028a090f555a52fafda17da

Download Submit
C:\Windows\SysWOW64\Klmpiiai.exe

Filesize
76KB

MD5
6161ddfef8d12f60b5634df67a90b710

SHA1
ba701f4fa933d9bc28c15c5751d047ecb6fbddf1

SHA256
571f68f81f3357cd19c36d28e4a57706e92f990d4fe35fcad989b342e7e3b69f

SHA512
2a74b2d5999c55ccf15ae7cad9015278a24e59ba92b1106ef3968c27fa80cf97ca87f9cbef8d22b9e197c2f4b68247cbeb42f2b56c2bb9dbae307927b3a3456a

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
76KB

MD5
fba91ef2857cc68182e821042854b121

SHA1
e962a92ed14fca522acd3479145e63170898f935

SHA256
4b2892339fd584be71df3cc7933fe379dde991aae1a622939e25b07fb1d77363

SHA512
4cac226dc0e991ec86cab4ab279ef9a587fe7d0b936631cb7c3558765b2def9eb05b74bb2b3428a4cf6533341b89cf46a6cb7f20b6671376835421b8a2dd9be7

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
76KB

MD5
31f46fdbc29846d0c81a8bfa16305a5f

SHA1
9f2ce3a1372f6664f9af85b7ef6b948326fb49bd

SHA256
2f3c870028f03d2ea975195a9882e7b671eaa1ea7aa70a8ffef7e29fcc606611

SHA512
de309c773f170650870a6b21543ce7908b5ffa491078eb0f30c4c3fe5bc37ac4da9914a97ac00c6c483f8db7da0af48e8105fc5f79e98171fee3b09aafa27828

Download Submit
C:\Windows\SysWOW64\Mhdjehhj.exe

Filesize
76KB

MD5
4f1ade7ef5fce395aa03ed290f513de4

SHA1
4fc6b4506a37ee62326e3b0bccbe83b02c3b103a

SHA256
36715454b5887babd7173896b8e0a5edfbd16bd0986285d8d91f0d7b924ff677

SHA512
579162a5f7c7b7bbbd8a64f28e008d41f7aa92e185ebcf8b3036648cd0267a3469af8c86af46f2beea0dd36f850a6848c4e95743a8d19481d53aa04c027f1ba5

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
76KB

MD5
bb99e406de2a9bf0a7d2b8fd9fd886b4

SHA1
af5b9eeeb7598053cbfef3f29bbff21f9a0ea2eb

SHA256
218cdb909fde939603e15127e98c0c5022e0a684dc4574c128ea93c95d1f0ae0

SHA512
2444e043db403cc9adbc03bcf0396ecaaab083386e122edd2551f6312f8944264e664a08ab021f71dda0b909b36786834dc001e0b472bcdd2519af528fef071b

Download Submit
C:\Windows\SysWOW64\Ogklelna.exe

Filesize
76KB

MD5
c7b9f764a0495e9532ae6923a379d4eb

SHA1
f10473e860062363f1ac5e9780ff88aa6e7435a7

SHA256
2d7fb6efd9bb9108181af5affb9616e50f301c12e7a8f5ecc2e8b57f6418dd27

SHA512
d73e22de010a58f414bf1aaadfbc1d12352f68bfb2ba0ab787da786208e092f4e158e1389b48ed69ded5c391b337b02ba391543418f4e1b42a406d841316ab04

Download Submit
C:\Windows\SysWOW64\Pidabppl.exe

Filesize
76KB

MD5
6e087540197413a2a7d015d04d2b2125

SHA1
428d741390a8d73e8fb7e874e56e48597d6f5a5e

SHA256
7d90d18622d1c9d42c7ee1f8be16061ba55f4f1a47b649bf9c8ae0270ee9d083

SHA512
da9c11e9358a24305282e88607efb4bf4aa28f97df2a32bfbb1de8040e6334421c3adf28de1e385b77984fd053467004a7ca9b722e6b057b78508e4476a7efa3

Download Submit
C:\Windows\SysWOW64\Ppopjp32.exe

Filesize
76KB

MD5
df305e3b5f0caac7ee2427a01fa6fcc2

SHA1
908adbd0e9204187431b5de81689da5faa94b0cf

SHA256
343028a704c63855fa29175157b01aee66895823500144f4bffeefa515604bf2

SHA512
0ce208ec9e7d59e6023060fa435e7850c908ec894ee10a1c991ab7df4ae19e811b46fc468866f4ddd38fe6559be54c3a70a46c1b2ee8763d423f8f4c17f2fd5e

Download Submit
memory/452-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads