18af77a56e9a3bd4e3c7ea0c098d5a117489e40355224bf11201be14c64a2240

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de9021299f6019706422ffdb859f636a.exe
Size

220KB
MD5

de9021299f6019706422ffdb859f636a
SHA1

d00a26cfed09a0428a154ea80c48b197b7607786
SHA256

18af77a56e9a3bd4e3c7ea0c098d5a117489e40355224bf11201be14c64a2240
SHA512

0b3b7a10d434238200f551571f2992286d870a93f011ffa08e80a5c553e80dacf758f4e54b4b6f2a8f5a452bec4d28dde313078f83ff56c3e4c7ed64178baa6a
SSDEEP

3072:TLkt3tE1WiYpehcrVpH7r5/6RQL+v6dJ0/wGOLU4eAomcrVpH7r5/6RQL+:0tduWRpeh2H3p9L+v6dD3om2H3p9L+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbofcghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjecpkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqmlknnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knippe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opcqnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgbjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnhnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpabni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbanbmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgenbfoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lankbigo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqklb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnahdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilqoobdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmnfkia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhimica.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgccinoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdpiid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlleaeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nahgoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmabggdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddhbipj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chglab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodjjimm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkabjbih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohpkmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgjgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onpjichj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgjndno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edemkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkconn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljfhqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqklb32.exe

Executes dropped EXE 64 IoCs

pid	Process
3592	Gblngpbd.exe
3416	Hbnjmp32.exe
1268	Hkfoeega.exe
4068	Heocnk32.exe
2228	Hkikkeeo.exe
732	Hbbdholl.exe
4844	Hcbpab32.exe
3420	Hmjdjgjo.exe
1620	Ilghlc32.exe
364	Jpgmha32.exe
4340	Jfcbjk32.exe
5104	Jmpgldhg.exe
4672	Jifhaenk.exe
916	Kfjhkjle.exe
840	Kpbmco32.exe
5004	Kfmepi32.exe
1844	Klimip32.exe
1212	Kimnbd32.exe
2808	Kbfbkj32.exe
4968	Klngdpdd.exe
3380	Kefkme32.exe
2072	Kplpjn32.exe
2492	Liddbc32.exe
1960	Lekehdgp.exe
3556	Llemdo32.exe
3184	Liimncmf.exe
604	Lepncd32.exe
3260	Lgokmgjm.exe
1720	Lllcen32.exe
232	Medgncoe.exe
1792	Mchhggno.exe
4464	Mmnldp32.exe
3920	Nphhmj32.exe
4688	Njqmepik.exe
464	Nlaegk32.exe
4056	Nckndeni.exe
1612	Njefqo32.exe
4888	Oponmilc.exe
424	Ogifjcdp.exe
3588	Ojgbfocc.exe
5056	Odmgcgbi.exe
3968	Ojjolnaq.exe
1416	Opdghh32.exe
4460	Ofqpqo32.exe
4284	Olkhmi32.exe
2420	Odapnf32.exe
4476	Ojoign32.exe
620	Oqhacgdh.exe
3680	Ogbipa32.exe
344	Pnlaml32.exe
4392	Pcijeb32.exe
1236	Pfhfan32.exe
3368	Pclgkb32.exe
4916	Acjclpcf.exe
1576	Anogiicl.exe
2876	Aeiofcji.exe
3800	Afjlnk32.exe
3492	Amddjegd.exe
3552	Acnlgp32.exe
4076	Ajhddjfn.exe
1604	Aabmqd32.exe
892	Ajkaii32.exe
2264	Bcebhoii.exe
4984	Bmngqdpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iefplh32.dll	Lfhnaa32.exe
File created	C:\Windows\SysWOW64\Fflohaij.exe	Fbpchb32.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Nnbebofc.dll	Kelalp32.exe
File created	C:\Windows\SysWOW64\Copkngdi.dll	Lihfcm32.exe
File created	C:\Windows\SysWOW64\Ijdgcpaf.dll	Ohjlgefb.exe
File created	C:\Windows\SysWOW64\Hhfjcdon.dll	Afkknogn.exe
File opened for modification	C:\Windows\SysWOW64\Cobkhb32.exe	Cmcolgbj.exe
File created	C:\Windows\SysWOW64\Hmhkgijk.dll	Mnpabe32.exe
File created	C:\Windows\SysWOW64\Efeihb32.exe	Ennqfenp.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Hbnjmp32.exe	Gblngpbd.exe
File created	C:\Windows\SysWOW64\Afkknogn.exe	Aoofle32.exe
File created	C:\Windows\SysWOW64\Mknjbg32.dll	Hmbfbn32.exe
File created	C:\Windows\SysWOW64\Npldbgic.dll	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Jpkphjeb.exe	Jgdhgmep.exe
File opened for modification	C:\Windows\SysWOW64\Okjnnj32.exe	Oihagaji.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Kadpdp32.exe
File created	C:\Windows\SysWOW64\Lacibgbo.dll	Nlleaeff.exe
File created	C:\Windows\SysWOW64\Lqnlgjdd.dll	Mpghkf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmhand32.exe	Djjebh32.exe
File opened for modification	C:\Windows\SysWOW64\Chglab32.exe	Cnahdi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lindkm32.exe
File opened for modification	C:\Windows\SysWOW64\Fgppmd32.exe	Ekiohclf.exe
File created	C:\Windows\SysWOW64\Lpkiph32.exe	Kiaqcnpb.exe
File created	C:\Windows\SysWOW64\Phjenbhp.exe	Pflibgil.exe
File opened for modification	C:\Windows\SysWOW64\Bqfoamfj.exe	Bogcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Eejeiocj.exe	Enpmld32.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Pofkjd32.dll	Gbofcghl.exe
File created	C:\Windows\SysWOW64\Faeghb32.dll	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Impliekg.exe	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Lhlgfb32.dll	Hpcodihc.exe
File created	C:\Windows\SysWOW64\Nlcalieg.exe	Manmoq32.exe
File opened for modification	C:\Windows\SysWOW64\Hlkfbocp.exe	Giljfddl.exe
File created	C:\Windows\SysWOW64\Hanpdgfl.dll	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Lonege32.dll	Mlnipg32.exe
File opened for modification	C:\Windows\SysWOW64\Phhhhc32.exe	Pfillg32.exe
File created	C:\Windows\SysWOW64\Inmdohhp.dll	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Ekooihip.dll	Kkconn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Gkobjpin.exe	Ggcfja32.exe
File created	C:\Windows\SysWOW64\Dqdhfd32.dll	Pfillg32.exe
File created	C:\Windows\SysWOW64\Bfjnjcni.exe	Bmbiamhi.exe
File opened for modification	C:\Windows\SysWOW64\Ekaapi32.exe	Eicedn32.exe
File created	C:\Windows\SysWOW64\Llobhg32.dll	Dnonkq32.exe
File opened for modification	C:\Windows\SysWOW64\Lbgalmej.exe	Kjpijpdg.exe
File opened for modification	C:\Windows\SysWOW64\Ohpkmn32.exe	Ohnohn32.exe
File opened for modification	C:\Windows\SysWOW64\Gigaka32.exe	Gbmingjo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgpni32.exe	Lnjgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Bhoqeibl.exe	Bbdhiojo.exe
File created	C:\Windows\SysWOW64\Jlolpq32.exe	Jinboekc.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Lnpofnhk.exe	Lkabjbih.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Oadfkdgd.exe	Okjnnj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9060	8632	WerFault.exe	895

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oenlqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohpkmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdhiojo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnndm32.dll"	Hheoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knbbep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebhglj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnqhicol.dll"	Gkobjpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjibgnp.dll"	Hnagak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgccinoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpijjo32.dll"	Jgdhgmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicdfa32.dll"	Lkofdbkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffceip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll"	Dfoplpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcalieg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idieem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfkbf32.dll"	Ljgpkonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pifnhpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgknhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjdjoane.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kelkaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blanhfid.dll"	Neffpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pibdmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghcocol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll"	Gdlfhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccphhl32.dll"	Qcaofebg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaajhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggamk32.dll"	Bidqko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcfahbpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kggcnoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll"	Cbpajgmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbnjmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3592	5092	de9021299f6019706422ffdb859f636a.exe	86
PID 5092 wrote to memory of 3592	5092	de9021299f6019706422ffdb859f636a.exe	86
PID 5092 wrote to memory of 3592	5092	de9021299f6019706422ffdb859f636a.exe	86
PID 3592 wrote to memory of 3416	3592	Gblngpbd.exe	87
PID 3592 wrote to memory of 3416	3592	Gblngpbd.exe	87
PID 3592 wrote to memory of 3416	3592	Gblngpbd.exe	87
PID 3416 wrote to memory of 1268	3416	Hbnjmp32.exe	88
PID 3416 wrote to memory of 1268	3416	Hbnjmp32.exe	88
PID 3416 wrote to memory of 1268	3416	Hbnjmp32.exe	88
PID 1268 wrote to memory of 4068	1268	Hkfoeega.exe	89
PID 1268 wrote to memory of 4068	1268	Hkfoeega.exe	89
PID 1268 wrote to memory of 4068	1268	Hkfoeega.exe	89
PID 4068 wrote to memory of 2228	4068	Heocnk32.exe	90
PID 4068 wrote to memory of 2228	4068	Heocnk32.exe	90
PID 4068 wrote to memory of 2228	4068	Heocnk32.exe	90
PID 2228 wrote to memory of 732	2228	Hkikkeeo.exe	91
PID 2228 wrote to memory of 732	2228	Hkikkeeo.exe	91
PID 2228 wrote to memory of 732	2228	Hkikkeeo.exe	91
PID 732 wrote to memory of 4844	732	Hbbdholl.exe	92
PID 732 wrote to memory of 4844	732	Hbbdholl.exe	92
PID 732 wrote to memory of 4844	732	Hbbdholl.exe	92
PID 4844 wrote to memory of 3420	4844	Hcbpab32.exe	94
PID 4844 wrote to memory of 3420	4844	Hcbpab32.exe	94
PID 4844 wrote to memory of 3420	4844	Hcbpab32.exe	94
PID 3420 wrote to memory of 1620	3420	Hmjdjgjo.exe	95
PID 3420 wrote to memory of 1620	3420	Hmjdjgjo.exe	95
PID 3420 wrote to memory of 1620	3420	Hmjdjgjo.exe	95
PID 1620 wrote to memory of 364	1620	Ilghlc32.exe	97
PID 1620 wrote to memory of 364	1620	Ilghlc32.exe	97
PID 1620 wrote to memory of 364	1620	Ilghlc32.exe	97
PID 364 wrote to memory of 4340	364	Jpgmha32.exe	98
PID 364 wrote to memory of 4340	364	Jpgmha32.exe	98
PID 364 wrote to memory of 4340	364	Jpgmha32.exe	98
PID 4340 wrote to memory of 5104	4340	Jfcbjk32.exe	99
PID 4340 wrote to memory of 5104	4340	Jfcbjk32.exe	99
PID 4340 wrote to memory of 5104	4340	Jfcbjk32.exe	99
PID 5104 wrote to memory of 4672	5104	Jmpgldhg.exe	101
PID 5104 wrote to memory of 4672	5104	Jmpgldhg.exe	101
PID 5104 wrote to memory of 4672	5104	Jmpgldhg.exe	101
PID 4672 wrote to memory of 916	4672	Jifhaenk.exe	102
PID 4672 wrote to memory of 916	4672	Jifhaenk.exe	102
PID 4672 wrote to memory of 916	4672	Jifhaenk.exe	102
PID 916 wrote to memory of 840	916	Kfjhkjle.exe	103
PID 916 wrote to memory of 840	916	Kfjhkjle.exe	103
PID 916 wrote to memory of 840	916	Kfjhkjle.exe	103
PID 840 wrote to memory of 5004	840	Kpbmco32.exe	104
PID 840 wrote to memory of 5004	840	Kpbmco32.exe	104
PID 840 wrote to memory of 5004	840	Kpbmco32.exe	104
PID 5004 wrote to memory of 1844	5004	Kfmepi32.exe	105
PID 5004 wrote to memory of 1844	5004	Kfmepi32.exe	105
PID 5004 wrote to memory of 1844	5004	Kfmepi32.exe	105
PID 1844 wrote to memory of 1212	1844	Klimip32.exe	106
PID 1844 wrote to memory of 1212	1844	Klimip32.exe	106
PID 1844 wrote to memory of 1212	1844	Klimip32.exe	106
PID 1212 wrote to memory of 2808	1212	Kimnbd32.exe	107
PID 1212 wrote to memory of 2808	1212	Kimnbd32.exe	107
PID 1212 wrote to memory of 2808	1212	Kimnbd32.exe	107
PID 2808 wrote to memory of 4968	2808	Kbfbkj32.exe	108
PID 2808 wrote to memory of 4968	2808	Kbfbkj32.exe	108
PID 2808 wrote to memory of 4968	2808	Kbfbkj32.exe	108
PID 4968 wrote to memory of 3380	4968	Klngdpdd.exe	109
PID 4968 wrote to memory of 3380	4968	Klngdpdd.exe	109
PID 4968 wrote to memory of 3380	4968	Klngdpdd.exe	109
PID 3380 wrote to memory of 2072	3380	Kefkme32.exe	110

C:\Users\Admin\AppData\Local\Temp\de9021299f6019706422ffdb859f636a.exe
"C:\Users\Admin\AppData\Local\Temp\de9021299f6019706422ffdb859f636a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\Gblngpbd.exe
  C:\Windows\system32\Gblngpbd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\Hbnjmp32.exe
    C:\Windows\system32\Hbnjmp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\Hkfoeega.exe
      C:\Windows\system32\Hkfoeega.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        24⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        25⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        26⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        27⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        28⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        31⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        32⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        34⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        35⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        36⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        37⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        38⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        39⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        40⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        42⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        43⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        44⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        45⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        46⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        47⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        48⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        51⤵
        Executes dropped EXE
        
        PID:344
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        52⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        55⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        57⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        58⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        59⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        60⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        61⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        62⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        63⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        64⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        65⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        66⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        67⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        68⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        69⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        70⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        71⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        73⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        74⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        75⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        76⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        77⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        78⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        80⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        81⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        82⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        83⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        84⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        85⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Egdqae32.exe
        
        C:\Windows\system32\Egdqae32.exe
        86⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Edknqiho.exe
        
        C:\Windows\system32\Edknqiho.exe
        87⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Eopbnbhd.exe
        
        C:\Windows\system32\Eopbnbhd.exe
        88⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Eejjjl32.exe
        
        C:\Windows\system32\Eejjjl32.exe
        89⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ehiffh32.exe
        
        C:\Windows\system32\Ehiffh32.exe
        90⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Eobocb32.exe
        
        C:\Windows\system32\Eobocb32.exe
        91⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Emeoooml.exe
        
        C:\Windows\system32\Emeoooml.exe
        92⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ekiohclf.exe
        
        C:\Windows\system32\Ekiohclf.exe
        93⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Fgppmd32.exe
        
        C:\Windows\system32\Fgppmd32.exe
        94⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Gaogak32.exe
        
        C:\Windows\system32\Gaogak32.exe
        95⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Gkglja32.exe
        
        C:\Windows\system32\Gkglja32.exe
        96⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Gadqlkep.exe
        
        C:\Windows\system32\Gadqlkep.exe
        97⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        98⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Gkleeplq.exe
        
        C:\Windows\system32\Gkleeplq.exe
        99⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Gnkaalkd.exe
        
        C:\Windows\system32\Gnkaalkd.exe
        100⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Gddinf32.exe
        
        C:\Windows\system32\Gddinf32.exe
        101⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ggcfja32.exe
        
        C:\Windows\system32\Ggcfja32.exe
        102⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Gkobjpin.exe
        
        C:\Windows\system32\Gkobjpin.exe
        103⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Gnmnfkia.exe
        
        C:\Windows\system32\Gnmnfkia.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Gfdfgiid.exe
        
        C:\Windows\system32\Gfdfgiid.exe
        105⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ggeboaob.exe
        
        C:\Windows\system32\Ggeboaob.exe
        106⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Goljqnpd.exe
        
        C:\Windows\system32\Goljqnpd.exe
        107⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Hakgmjoh.exe
        
        C:\Windows\system32\Hakgmjoh.exe
        108⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Hheoid32.exe
        
        C:\Windows\system32\Hheoid32.exe
        109⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Hnagak32.exe
        
        C:\Windows\system32\Hnagak32.exe
        110⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Hdlpneli.exe
        
        C:\Windows\system32\Hdlpneli.exe
        111⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Hhgloc32.exe
        
        C:\Windows\system32\Hhgloc32.exe
        112⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Hoadkn32.exe
        
        C:\Windows\system32\Hoadkn32.exe
        113⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Hnddgjbj.exe
        
        C:\Windows\system32\Hnddgjbj.exe
        114⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Hfklhhcl.exe
        
        C:\Windows\system32\Hfklhhcl.exe
        115⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Hhihdcbp.exe
        
        C:\Windows\system32\Hhihdcbp.exe
        116⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Hkhdqoac.exe
        
        C:\Windows\system32\Hkhdqoac.exe
        117⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Hdpiid32.exe
        
        C:\Windows\system32\Hdpiid32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Hgoeep32.exe
        
        C:\Windows\system32\Hgoeep32.exe
        119⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Hkjafn32.exe
        
        C:\Windows\system32\Hkjafn32.exe
        120⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Hninbj32.exe
        
        C:\Windows\system32\Hninbj32.exe
        121⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Ioopml32.exe
        
        C:\Windows\system32\Ioopml32.exe
        122⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ifihif32.exe
        
        C:\Windows\system32\Ifihif32.exe
        123⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Iigdfa32.exe
        
        C:\Windows\system32\Iigdfa32.exe
        124⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ikfabm32.exe
        
        C:\Windows\system32\Ikfabm32.exe
        125⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Indmnh32.exe
        
        C:\Windows\system32\Indmnh32.exe
        126⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ifleoe32.exe
        
        C:\Windows\system32\Ifleoe32.exe
        127⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Iijaka32.exe
        
        C:\Windows\system32\Iijaka32.exe
        128⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Jkhngl32.exe
        
        C:\Windows\system32\Jkhngl32.exe
        129⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        130⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jfnbdecg.exe
        
        C:\Windows\system32\Jfnbdecg.exe
        131⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Jgonlm32.exe
        
        C:\Windows\system32\Jgonlm32.exe
        132⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Joffnk32.exe
        
        C:\Windows\system32\Joffnk32.exe
        133⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Jbdbjf32.exe
        
        C:\Windows\system32\Jbdbjf32.exe
        134⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Jgakbm32.exe
        
        C:\Windows\system32\Jgakbm32.exe
        135⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Jeekkafl.exe
        
        C:\Windows\system32\Jeekkafl.exe
        136⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Jgdhgmep.exe
        
        C:\Windows\system32\Jgdhgmep.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jpkphjeb.exe
        
        C:\Windows\system32\Jpkphjeb.exe
        138⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Jfehed32.exe
        
        C:\Windows\system32\Jfehed32.exe
        139⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Jkaqnk32.exe
        
        C:\Windows\system32\Jkaqnk32.exe
        140⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Jejefqaf.exe
        
        C:\Windows\system32\Jejefqaf.exe
        141⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Kldmckic.exe
        
        C:\Windows\system32\Kldmckic.exe
        142⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        143⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Kelalp32.exe
        
        C:\Windows\system32\Kelalp32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Kgknhl32.exe
        
        C:\Windows\system32\Kgknhl32.exe
        145⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Kijjbofj.exe
        
        C:\Windows\system32\Kijjbofj.exe
        146⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Kbbokdlk.exe
        
        C:\Windows\system32\Kbbokdlk.exe
        147⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Kimghn32.exe
        
        C:\Windows\system32\Kimghn32.exe
        148⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Klkcdj32.exe
        
        C:\Windows\system32\Klkcdj32.exe
        149⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Knippe32.exe
        
        C:\Windows\system32\Knippe32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Kfqgab32.exe
        
        C:\Windows\system32\Kfqgab32.exe
        151⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Kiodmn32.exe
        
        C:\Windows\system32\Kiodmn32.exe
        152⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Klmpiiai.exe
        
        C:\Windows\system32\Klmpiiai.exe
        153⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Knlleepl.exe
        
        C:\Windows\system32\Knlleepl.exe
        154⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Kfcdfbqo.exe
        
        C:\Windows\system32\Kfcdfbqo.exe
        155⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Kiaqcnpb.exe
        
        C:\Windows\system32\Kiaqcnpb.exe
        156⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Lpkiph32.exe
        
        C:\Windows\system32\Lpkiph32.exe
        157⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Lbjelc32.exe
        
        C:\Windows\system32\Lbjelc32.exe
        158⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Llbidimc.exe
        
        C:\Windows\system32\Llbidimc.exe
        159⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Lfhnaa32.exe
        
        C:\Windows\system32\Lfhnaa32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Lhijijbg.exe
        
        C:\Windows\system32\Lhijijbg.exe
        161⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Lbnngbbn.exe
        
        C:\Windows\system32\Lbnngbbn.exe
        162⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Lihfcm32.exe
        
        C:\Windows\system32\Lihfcm32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Lhkgoiqe.exe
        
        C:\Windows\system32\Lhkgoiqe.exe
        164⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lbqklb32.exe
        
        C:\Windows\system32\Lbqklb32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6556
        
        C:\Windows\SysWOW64\Lflgmqhd.exe
        
        C:\Windows\system32\Lflgmqhd.exe
        166⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Likcilhh.exe
        
        C:\Windows\system32\Likcilhh.exe
        167⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Lbchba32.exe
        
        C:\Windows\system32\Lbchba32.exe
        168⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Mhppji32.exe
        
        C:\Windows\system32\Mhppji32.exe
        169⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mpghkf32.exe
        
        C:\Windows\system32\Mpghkf32.exe
        170⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Mbedga32.exe
        
        C:\Windows\system32\Mbedga32.exe
        171⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Mlnipg32.exe
        
        C:\Windows\system32\Mlnipg32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Nlleaeff.exe
        
        C:\Windows\system32\Nlleaeff.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Nlnbgddc.exe
        
        C:\Windows\system32\Nlnbgddc.exe
        174⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Neffpj32.exe
        
        C:\Windows\system32\Neffpj32.exe
        175⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ncjginjn.exe
        
        C:\Windows\system32\Ncjginjn.exe
        176⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        177⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Oghppm32.exe
        
        C:\Windows\system32\Oghppm32.exe
        178⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ohjlgefb.exe
        
        C:\Windows\system32\Ohjlgefb.exe
        179⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Oenlqi32.exe
        
        C:\Windows\system32\Oenlqi32.exe
        180⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Opcqnb32.exe
        
        C:\Windows\system32\Opcqnb32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Oofaiokl.exe
        
        C:\Windows\system32\Oofaiokl.exe
        182⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        183⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Plagcbdn.exe
        
        C:\Windows\system32\Plagcbdn.exe
        184⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Phhhhc32.exe
        
        C:\Windows\system32\Phhhhc32.exe
        186⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        187⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        188⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Phjenbhp.exe
        
        C:\Windows\system32\Phjenbhp.exe
        189⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        190⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Pgkelj32.exe
        
        C:\Windows\system32\Pgkelj32.exe
        191⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Pjjahe32.exe
        
        C:\Windows\system32\Pjjahe32.exe
        192⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        193⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        194⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Qjnkcekm.exe
        
        C:\Windows\system32\Qjnkcekm.exe
        195⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Afelhf32.exe
        
        C:\Windows\system32\Afelhf32.exe
        196⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        197⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7304
        
        C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        199⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        200⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        201⤵
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Bqfoamfj.exe
        
        C:\Windows\system32\Bqfoamfj.exe
        202⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Bjodjb32.exe
        
        C:\Windows\system32\Bjodjb32.exe
        203⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Bmmpfn32.exe
        
        C:\Windows\system32\Bmmpfn32.exe
        204⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Bidqko32.exe
        
        C:\Windows\system32\Bidqko32.exe
        205⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Bmbiamhi.exe
        
        C:\Windows\system32\Bmbiamhi.exe
        206⤵
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Bfjnjcni.exe
        
        C:\Windows\system32\Bfjnjcni.exe
        207⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Cidjbmcp.exe
        
        C:\Windows\system32\Cidjbmcp.exe
        208⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        209⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        210⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Dhlpqc32.exe
        
        C:\Windows\system32\Dhlpqc32.exe
        211⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        212⤵
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Dmihij32.exe
        
        C:\Windows\system32\Dmihij32.exe
        213⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        214⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Dfamapjo.exe
        
        C:\Windows\system32\Dfamapjo.exe
        215⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Eipinkib.exe
        
        C:\Windows\system32\Eipinkib.exe
        216⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8108
        
        C:\Windows\SysWOW64\Ejpfhnpe.exe
        
        C:\Windows\system32\Ejpfhnpe.exe
        218⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Eidbij32.exe
        
        C:\Windows\system32\Eidbij32.exe
        219⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Efhcbodf.exe
        
        C:\Windows\system32\Efhcbodf.exe
        220⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Eaqdegaj.exe
        
        C:\Windows\system32\Eaqdegaj.exe
        221⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Fdkpma32.exe
        
        C:\Windows\system32\Fdkpma32.exe
        222⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Gkdhjknm.exe
        
        C:\Windows\system32\Gkdhjknm.exe
        223⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Gdmmbq32.exe
        
        C:\Windows\system32\Gdmmbq32.exe
        224⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Gaamlecg.exe
        
        C:\Windows\system32\Gaamlecg.exe
        225⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Gkiaej32.exe
        
        C:\Windows\system32\Gkiaej32.exe
        226⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Gnhnaf32.exe
        
        C:\Windows\system32\Gnhnaf32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        228⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Gklnjj32.exe
        
        C:\Windows\system32\Gklnjj32.exe
        229⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Ghpocngo.exe
        
        C:\Windows\system32\Ghpocngo.exe
        230⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        231⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        232⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        233⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        234⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Idieem32.exe
        
        C:\Windows\system32\Idieem32.exe
        236⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Iggaah32.exe
        
        C:\Windows\system32\Iggaah32.exe
        237⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Ijhjcchb.exe
        
        C:\Windows\system32\Ijhjcchb.exe
        238⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        239⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Jdnoplhh.exe
        
        C:\Windows\system32\Jdnoplhh.exe
        240⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        241⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        242⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Jbdlop32.exe
        
        C:\Windows\system32\Jbdlop32.exe
        243⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Jjamia32.exe
        
        C:\Windows\system32\Jjamia32.exe
        244⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        245⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Jgenbfoa.exe
        
        C:\Windows\system32\Jgenbfoa.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Jjdjoane.exe
        
        C:\Windows\system32\Jjdjoane.exe
        247⤵
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        248⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        249⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Kjffdalb.exe
        
        C:\Windows\system32\Kjffdalb.exe
        250⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        251⤵
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Kelkaj32.exe
        
        C:\Windows\system32\Kelkaj32.exe
        252⤵
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Kgjgne32.exe
        
        C:\Windows\system32\Kgjgne32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        254⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        255⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        256⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Kjpijpdg.exe
        
        C:\Windows\system32\Kjpijpdg.exe
        257⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Lbgalmej.exe
        
        C:\Windows\system32\Lbgalmej.exe
        258⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Leenhhdn.exe
        
        C:\Windows\system32\Leenhhdn.exe
        259⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Lkofdbkj.exe
        
        C:\Windows\system32\Lkofdbkj.exe
        260⤵
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        261⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        263⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        265⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Lankbigo.exe
        
        C:\Windows\system32\Lankbigo.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Lghcocol.exe
        
        C:\Windows\system32\Lghcocol.exe
        267⤵
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Ljgpkonp.exe
        
        C:\Windows\system32\Ljgpkonp.exe
        268⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Lelchgne.exe
        
        C:\Windows\system32\Lelchgne.exe
        269⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        270⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        271⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        272⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        273⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        274⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8396
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        276⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        277⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        278⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        279⤵
        Drops file in System32 directory
        
        PID:8560
        
        C:\Windows\SysWOW64\Okjnnj32.exe
        
        C:\Windows\system32\Okjnnj32.exe
        280⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Oadfkdgd.exe
        
        C:\Windows\system32\Oadfkdgd.exe
        281⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        282⤵
        Drops file in System32 directory
        
        PID:8704
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8748
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        284⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        285⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        286⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        287⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        288⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        289⤵
        Modifies registry class
        
        PID:9036
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        290⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Qhlkilba.exe
        
        C:\Windows\system32\Qhlkilba.exe
        291⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        292⤵
        Modifies registry class
        
        PID:9204
        
        C:\Windows\SysWOW64\Qebhhp32.exe
        
        C:\Windows\system32\Qebhhp32.exe
        293⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        294⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        295⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Aoofle32.exe
        
        C:\Windows\system32\Aoofle32.exe
        296⤵
        Drops file in System32 directory
        
        PID:8436
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        297⤵
        Drops file in System32 directory
        
        PID:8504
        
        C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        298⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Acokhc32.exe
        
        C:\Windows\system32\Acokhc32.exe
        299⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Bjicdmmd.exe
        
        C:\Windows\system32\Bjicdmmd.exe
        300⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Blhpqhlh.exe
        
        C:\Windows\system32\Blhpqhlh.exe
        301⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        302⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Bbdhiojo.exe
        
        C:\Windows\system32\Bbdhiojo.exe
        303⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8900
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        304⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Bmlilh32.exe
        
        C:\Windows\system32\Bmlilh32.exe
        305⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Bcfahbpo.exe
        
        C:\Windows\system32\Bcfahbpo.exe
        306⤵
        Modifies registry class
        
        PID:9124
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        307⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Bmabggdm.exe
        
        C:\Windows\system32\Bmabggdm.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8308
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        309⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5000
        
        C:\Windows\SysWOW64\Cmcolgbj.exe
        
        C:\Windows\system32\Cmcolgbj.exe
        311⤵
        Drops file in System32 directory
        
        PID:8640
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        312⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        313⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        314⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        315⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Cbbdjm32.exe
        
        C:\Windows\system32\Cbbdjm32.exe
        316⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Cfnqklgh.exe
        
        C:\Windows\system32\Cfnqklgh.exe
        317⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        318⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Ccgjopal.exe
        
        C:\Windows\system32\Ccgjopal.exe
        319⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        320⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Dmdhcddh.exe
        
        C:\Windows\system32\Dmdhcddh.exe
        321⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Djhimica.exe
        
        C:\Windows\system32\Djhimica.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9168
        
        C:\Windows\SysWOW64\Djjebh32.exe
        
        C:\Windows\system32\Djjebh32.exe
        323⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        324⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        325⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        326⤵
        Modifies registry class
        
        PID:9152
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        327⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        328⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Elbhjp32.exe
        
        C:\Windows\system32\Elbhjp32.exe
        329⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Eblpgjha.exe
        
        C:\Windows\system32\Eblpgjha.exe
        330⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        331⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Emdajb32.exe
        
        C:\Windows\system32\Emdajb32.exe
        332⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        333⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        334⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        335⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Fmkgkapm.exe
        
        C:\Windows\system32\Fmkgkapm.exe
        336⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Fbhpch32.exe
        
        C:\Windows\system32\Fbhpch32.exe
        337⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Flqdlnde.exe
        
        C:\Windows\system32\Flqdlnde.exe
        338⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        339⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        340⤵
        Drops file in System32 directory
        
        PID:9588
        
        C:\Windows\SysWOW64\Gigaka32.exe
        
        C:\Windows\system32\Gigaka32.exe
        341⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Glengm32.exe
        
        C:\Windows\system32\Glengm32.exe
        342⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\Gdlfhj32.exe
        
        C:\Windows\system32\Gdlfhj32.exe
        343⤵
        Modifies registry class
        
        PID:9704
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9748
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        345⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        346⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9832
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        347⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Hginecde.exe
        
        C:\Windows\system32\Hginecde.exe
        348⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        349⤵
        Drops file in System32 directory
        
        PID:9964
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10000
        
        C:\Windows\SysWOW64\Hdmoohbo.exe
        
        C:\Windows\system32\Hdmoohbo.exe
        351⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        352⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        353⤵
        Drops file in System32 directory
        
        PID:10136
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        354⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        355⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        356⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        357⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        358⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        359⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        360⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        361⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        362⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        363⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        364⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        365⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        366⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        367⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2480
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        369⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        370⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Kggcnoic.exe
        
        C:\Windows\system32\Kggcnoic.exe
        371⤵
        Modifies registry class
        
        PID:9248
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9288
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        373⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        374⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        375⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        376⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Kqbdldnq.exe
        
        C:\Windows\system32\Kqbdldnq.exe
        377⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        378⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Kqdaadln.exe
        
        C:\Windows\system32\Kqdaadln.exe
        379⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        380⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        381⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        382⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        383⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10220
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        384⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        385⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        386⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        387⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9028
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        388⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        389⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        390⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        391⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        392⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        393⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        394⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        395⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        396⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        397⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        398⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        399⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        400⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        401⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        402⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        403⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        404⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        405⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        406⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10236
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        407⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        408⤵
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        409⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        410⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        411⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        412⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        413⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        414⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        415⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10100
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        416⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        417⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        418⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5032
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        419⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        420⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        421⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        422⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        423⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        424⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        425⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        426⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        427⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        428⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        429⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        430⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        431⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        432⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        433⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        434⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        435⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        436⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        437⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        438⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        439⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        440⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        441⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        442⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        443⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        444⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        445⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        446⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        447⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        448⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        449⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        450⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        451⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        452⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        453⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        454⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        455⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        456⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3968
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        457⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        458⤵
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        459⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        460⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        461⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        462⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        463⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        464⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        465⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        466⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        467⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        468⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        469⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        470⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        471⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        472⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        473⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        474⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        475⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        476⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        477⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        478⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        479⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        480⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        481⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        482⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        483⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        484⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        485⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        486⤵
        Drops file in System32 directory
        
        PID:10380
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        487⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        488⤵
        Drops file in System32 directory
        
        PID:10468
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        489⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        490⤵
        Drops file in System32 directory
        
        PID:10552
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        491⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        492⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        493⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        494⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        495⤵
        Drops file in System32 directory
        
        PID:10808
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        496⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        497⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        498⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        499⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        500⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11052
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        501⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        502⤵
        Modifies registry class
        
        PID:11144
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        503⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        504⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        505⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        506⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        507⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        508⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        509⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        510⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        511⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        512⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        513⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        514⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        515⤵
        Modifies registry class
        
        PID:10792
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        516⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        517⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        518⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        519⤵
        Drops file in System32 directory
        
        PID:10392
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        520⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        521⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        522⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        523⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        524⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        525⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        526⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        527⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        528⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4244
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        529⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        530⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        531⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        532⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        533⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        534⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        535⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        536⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        537⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        538⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        539⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        540⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        541⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        542⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        543⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        544⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        545⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        546⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        547⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        548⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        549⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        550⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        551⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        552⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        553⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        554⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        555⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        556⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        557⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        558⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        559⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        560⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11128
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        561⤵
        Modifies registry class
        
        PID:11168
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        562⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        563⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        564⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        565⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        566⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        567⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        568⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        569⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        570⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        571⤵
        Drops file in System32 directory
        
        PID:10528
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        572⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        573⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        574⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        575⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        576⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        577⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        578⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        579⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        580⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        581⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        582⤵
        Modifies registry class
        
        PID:11016
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        583⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        584⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        585⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        586⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        587⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        588⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        589⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        590⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        591⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        592⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        593⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        594⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        595⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        596⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        597⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        598⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        599⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        600⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        601⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        602⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        603⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        604⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        605⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        606⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        607⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        608⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        609⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        610⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        611⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        612⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        613⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        614⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        615⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        616⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        617⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        618⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        619⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        620⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        621⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        622⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        623⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        624⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        625⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11076
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        626⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        627⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        628⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        629⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        630⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        631⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        632⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        633⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        634⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        635⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        636⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        637⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        638⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        639⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        640⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        641⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        642⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        643⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        644⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        645⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        646⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        647⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        648⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        649⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        650⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        651⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        652⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        653⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        654⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        655⤵
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        656⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        657⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        658⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        659⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        660⤵
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        661⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        662⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        663⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        664⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        665⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        666⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        667⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        668⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10660
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        669⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        670⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        671⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        672⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        673⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        674⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        675⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        676⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        677⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        678⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        679⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        680⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        681⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        682⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        683⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        684⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        685⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        686⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        687⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        688⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        689⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7924
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        690⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        691⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        692⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        693⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        694⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        695⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        696⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        697⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7600
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        698⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        699⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        700⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        701⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        702⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11320
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        703⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        704⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        705⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        706⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        707⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        708⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        709⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        710⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        711⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        712⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        713⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        714⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        715⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        716⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        717⤵
        Drops file in System32 directory
        
        PID:11972
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        718⤵
        Modifies registry class
        
        PID:12016
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        719⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        720⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        721⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        722⤵
        Drops file in System32 directory
        
        PID:12244
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        723⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        724⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        725⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        726⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        727⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        728⤵
        Drops file in System32 directory
        
        PID:11572
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        729⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        730⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        731⤵
        Modifies registry class
        
        PID:11764
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        732⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        733⤵
        Drops file in System32 directory
        
        PID:7524
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        734⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        735⤵
        Drops file in System32 directory
        
        PID:11968
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        736⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        737⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        738⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        739⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        740⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        741⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        742⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        743⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        744⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        745⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        746⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        747⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3848
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        748⤵
        Drops file in System32 directory
        
        PID:11696
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        749⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        750⤵
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        751⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        752⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        753⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        754⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12004
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        755⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        756⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        757⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        758⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        759⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        760⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        761⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        762⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        763⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        764⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        765⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        766⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        767⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        768⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        769⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        770⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        771⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        772⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11924
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        773⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11980
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        774⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        775⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        776⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        777⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        778⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11344
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        779⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        780⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        781⤵
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        782⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        783⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        784⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        785⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        786⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        787⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        788⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        789⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        790⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        791⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        792⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        793⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        794⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        795⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        796⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        797⤵
        Drops file in System32 directory
        
        PID:8812
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        798⤵
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        799⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8632 -s 400
        800⤵
        Program crash
        
        PID:9060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8632 -ip 8632
1⤵
PID:11552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:8812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:11716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aojlaeei.exe

Filesize
220KB

MD5
9a2b7ef354b576e20dfff1a41fb94fe1

SHA1
5843f1951fd23b0b3e039029248ced53a9577873

SHA256
437d1600d402d3f7014d1ecfd6a4655b4623a60dfe97953580ec74f4dda94f20

SHA512
c8caf91ffe75961ede21573483a4d98b6762c1eccf8da93c2077728a722a2e81910f3434eaae75616db70fb55e1e0e7382e626ac524428992000115f77a53f28

Download Submit
C:\Windows\SysWOW64\Aoofle32.exe

Filesize
220KB

MD5
672df88726bdb5d77569a27f1012733f

SHA1
e6eba14e23630c34455ce96aa0bc4eced8cf768e

SHA256
7223aac718ad47db3d2f910de5e4de01262662eb34a7c2c17c8bb30849e3e27b

SHA512
4c0ebe0837d53bf2fd9f8f5a686975039d09a91384a6c2bc28c04c86013a8e4ce6a1605675087236629f6ceb1c6533c3ed62e8119849a4339b4916bf73b664f9

Download Submit
C:\Windows\SysWOW64\Bmbiamhi.exe

Filesize
64KB

MD5
0233f69880ab6f8708e17e0650c53e8a

SHA1
f6256319cf5eae355bae95b95b0db4cc4fa8417a

SHA256
3395626fc7f30b2e5063149393ce156fecc4e31f8d8de8316291a8f3472bda6d

SHA512
a205b22f0ed66d15f852cf27f899eb359687732dfb99d0bcce613a5b078d66fe4c266a16bab9da7833d40cfc3869f4739c43dd85fb6f616671941ce1f170c595

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
220KB

MD5
19156a88b4a2da84d49216111a416f19

SHA1
79493e35b5fe01956f7a32841695a6e7e636304b

SHA256
4231888dd0c9ec43ed623c41ec58aa5ca27e869b0232c68f22d63dae44a8c1a3

SHA512
76653029b21770ce062b7bbfdec5fa868b13ae094dd1acf76fdd37e7f7440d3b42fde148dd18cb23ef9aa0a8933d8d8396fa7413fb5e3b27fd59c8f5a6f81b10

Download Submit
C:\Windows\SysWOW64\Bogcgj32.exe

Filesize
220KB

MD5
b503edba33b616c8896d09ffc6e366b5

SHA1
c58beead96b42a81079353eaceec4cea146117a2

SHA256
fc56a8846d6654d55541176ea36331d3109f84c3b98062915f0ac9b8b211e99a

SHA512
9b24892e329f430c37f27fe82a9dd078808883d33bc330ec1942fa5afa9c9a1148b11ea698cd0da7f4de5041cd8f71a0c8e946e1e9a0b969b4d0adfa394c6a33

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
220KB

MD5
8b4083b9ced8db7fa7a04da92eae98de

SHA1
48c540ff0516e6241b433ef37bdc3cb6bf02ee86

SHA256
e8c077c235a0d05d1ba0782df182d77363d99f02ae63de19060268f82344a065

SHA512
dab3338cf6fee2fff7f05e04ea327c151f206d6b68dd872f3e1624ee8181aea0d258f4abf023d6b3b164cc3bc0f576c85c91a91eda819e615e4b5b12e0690032

Download Submit
C:\Windows\SysWOW64\Ckkiccep.exe

Filesize
220KB

MD5
f0aee02d2676c3d45917cddd46c49ecb

SHA1
db4c461b31aa845302a262162c89676ce424ceae

SHA256
e8f633a038daf04f97a8e769c6297b5d33bfb076399096b1d12096d7f621737a

SHA512
d14a910696ed8a9841b2b1d344354d888127843c505c563a870effb915e604d2b245f9a639e669f4100ffe801d1aafe196817f87ecd756a71403c48f295f2bed

Download Submit
C:\Windows\SysWOW64\Djhimica.exe

Filesize
64KB

MD5
58d6799eac665a4f6588533f656acc1a

SHA1
b95407647159f1d2cb0435628a041636ac491401

SHA256
eb7bd8ab0da512431d9c06cb38281501ec2296857588201eb157e21990a019e3

SHA512
fd75d08c4e149648806c5bcd87920de6ce24ebe97bc5e6414913a78aebd2d2ccef6ea9833ac95519f2a605cceddff388dd5336c8de912e073887c18d734d051a

Download Submit
C:\Windows\SysWOW64\Egdqae32.exe

Filesize
220KB

MD5
defb86793b1187607c6ffe3eeabdaecd

SHA1
ecd5bcc987ace28f8f67d61f3715f322adbbfbf9

SHA256
e3146ddf499798484e445e938d338a3f936344fe452ec6900cb23b9d6d03b264

SHA512
76f7d82c70d520a90f75f3b736ca69ee2d3777a7bb3d7c3176459610aafdc11ac263f41ebbb40ae34bc68cfdaa7ece11ad88bcbcdf1e06f4a749cedaaa397f94

Download Submit
C:\Windows\SysWOW64\Eidbij32.exe

Filesize
220KB

MD5
d264901fbc5884fb0a11a6e91a364818

SHA1
a769bec4d3a78bd45567c3295a2b593dca739f6a

SHA256
4ffb80e30413f248254d5897366463f64a84647f568157a9a227edd9660e3514

SHA512
d0068411cd8a47d2a6527ad5f2fd121399abb5400d361bdc6c807fea793d82703d0bba86a6ad57b5972c95d57a70dc20c9f4d2720a0ef865ad033d2da72ebbec

Download Submit
C:\Windows\SysWOW64\Fmkgkapm.exe

Filesize
220KB

MD5
65a86305ca4fc6e5e09ff07485dcf586

SHA1
950f6957d78444401f05a8983952921dac79e9ec

SHA256
e253ed0dec696b18d8697a231cefd424458b809015e6c80f6f4fd26f29265566

SHA512
b68d7800979ff094f56955ea11a567fe9f0581e7e8fded0512c446946e29619edc6adef3e571341dd1a82bc28986806f94481b7007dbfefc1f0a35f20dbf118d

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
220KB

MD5
7bb3cd480fb232f9bc0085e8eff5e69d

SHA1
092aae3126a1160d2c77298372216c60a4491572

SHA256
54a77513d4da4c1da61a61f194e6ff0a044467d1f6dc31786dc4d9690eadcdf2

SHA512
3efac2ab91b52f03218c3d3023c6d955b3432f2dd61bf487835bbb18f0db443abdb27967d5b3b434142ef82a58ff27ea5f1fbfb6ecdc448122055afe2b03e798

Download Submit
C:\Windows\SysWOW64\Gdmmbq32.exe

Filesize
220KB

MD5
0021b09f7abdb01debdf267ae9f47110

SHA1
b14e0293be0889c7eec011f3c176c9fc6bc681ab

SHA256
870bafa2cc1e8b1ba28aa5b235f4e40658782a856e3a197a520006a52a00cf7e

SHA512
066782bd8a019d1b69011621dd13a141529bf001220b7df44dfa60bf6fdef2f1dbf401c0b0aa84c633dc93ab37f12531ffa6e85a86ebc1a40153d14673192331

Download Submit
C:\Windows\SysWOW64\Gpkchqdj.exe

Filesize
220KB

MD5
487ffa913b7548f40fcb181e1a9cf7d1

SHA1
2873b79f74446231bcb418ca89439716e2169886

SHA256
cc76d8575e7b3465ca7dd51670a74e6f6fa90bfec4e7eb03735076e47ca052e5

SHA512
a57a1fac20022bd227f98a01d23fd0f3bc656597c6bc3f70d87b95d0d56947ac2c3833e091416a5496ed91a48961aa21eabdb8f1fcfadac6da00bb3d3af0509c

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
220KB

MD5
c7d05f22bd663c20ce57bf7cab339d22

SHA1
72d37c55086704f021847796106fd35a01991b8e

SHA256
dd990df1f6df571c6791c9cd508381cd73cafc7c9fac7d5fdedd32ebc6141cc5

SHA512
24e1060e256f69d588df22a6cd6381c1f0816d7a1efb052f0ec98a45b495fe47b8d62e26c660c988e9c24a849fcd1fdbb3eb98c0ba9bf6716b35810b528a2c7f

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
220KB

MD5
5b2bdcb353ac5702b9ead974ce9945d1

SHA1
0429f910cd103da9ce63dd992bd443aaeea62835

SHA256
74c9aa185909fa182e2750ac4a1422b169caf0254586d698b9049bd89ab0eed2

SHA512
3b144c86ddbdf5b0509541ce0ac253da43122921d611fe867c5c5d23794aed97e6d5dd8b00083cb829adbe777e2f5813befeb60961a21de7489d42ea05053008

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
220KB

MD5
1afe43a8993d0ac6c3f15595206bcf43

SHA1
840e4b53acd62dc680d0f8147049475816fb8ba2

SHA256
03ad89e2f8ac0fac6c092fce2f7d511c605f20394b0bea68415bb13f15504f47

SHA512
d8c09cb6519503b31e6ae47c998ebb5c39223c539470eca003379b7929135456d61ab710cb236316fa74266138327f1012e0cee682df9f7d955880a9053b4fd8

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
220KB

MD5
ee09dd86477702ed0d9db0d08d07154f

SHA1
84315747d0c183c3c432c8ae5bf7a331b96b5cde

SHA256
57206eab019290aae60e162cae6de08008112cbefb021c584a5023956f9bfa2b

SHA512
80b35c17c048afc1237d00a293f42c6b0123c612eac9616e241550007abafe4674ee1f9d7ea729bc4e4031c4ecf1498b426767eb61b4a7c470afe1a0b4b03d4b

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
220KB

MD5
c2604170c843d6e4261758db371b937a

SHA1
0bc1e361c98e35c579e9e492eef22e1296a8f17d

SHA256
dee357a90f97f96332faedc84fc34ade3ef51217e4f8fb7b9ba4b35ab6edcde8

SHA512
fb0858420a3ca899cc941abee51e3fac96f4dbb7393ce8f62e83d2051b4b97a37e27228e67584cbbb7ebcc5f986ddaaef2b56fe28b464369a5d21c309f0b88ec

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
220KB

MD5
9c7f316ebafe9defc260308cac1eaadd

SHA1
27f36f811ba86d37dc97c30cbfadcaba10e4b037

SHA256
8bb16b88bbfe57501b9b722d1a68e03cbbf3a2843d84bb2840aaefff1238323f

SHA512
ea10be054ef064fc3fd395a790e7cfbe5a1d0fccf2758d9f793d8954c78fe1e818412a235c6f47c18da9bae494ac755d377226d163965d51812644a99b693007

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
220KB

MD5
f455a203b1c803bff37ca957dba10079

SHA1
bae38c45b11697e4f9daea697303802e05d56006

SHA256
6fa7b853c5b6e9107177125d6a02379cb195a26778bb983ea66099f1b2ed60a7

SHA512
4acc2b2cf0edb0a13eb84b3154057e563ea36f5fdd533133e5737783b5320e2a99d4986492509fc131d8f4f97c07b2da34535d3aaa784cd1d4d914d43f0ee6cf

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
220KB

MD5
214b0c421af1131f2036eb0197c14e9e

SHA1
baa8d4ae627cd09a85acb406d6b29bfd5249abe7

SHA256
dc03abf37e370e2521d82cd3cee922743c7baf9ceb0e3371e7575a3b9a45e22e

SHA512
11a337a8f29defb5357cc3983a91baa751a25284b4b993926b2fc4764500893e31952dfe89a5d2f8eb9a7748d90c6342a9346a87897dc06ef8ecaed262c91bc3

Download Submit
C:\Windows\SysWOW64\Ioopml32.exe

Filesize
220KB

MD5
db5b7527fee32ae787b2503a8dfc9bc7

SHA1
f1eef144178b579e3bff761eb49565d14fc8484e

SHA256
43990a04926a1d5bfc4cca6defe905ff9b55cdc84a6b40c05884e0790cd5cbdb

SHA512
b4cf0b2836b762e819804868644fc347fafec1780e3afe36b72e56d7652cff8fcf28656d7ade45d7477a1e6b53e66d6fe53e081399d79561e7b03ea64bd3e578

Download Submit
C:\Windows\SysWOW64\Jdnoplhh.exe

Filesize
220KB

MD5
6b495638ded8b0805e24572e9ccf6e05

SHA1
74709ffce77b1c3b94c2c5fa846d5de7a3cc269d

SHA256
57fa5b87bcba017982bd28baf8fe1c8511e5f36b9814b913d6f797c231d77720

SHA512
d564375df64de27577345e417892772a7e356eef4da4c16dd2c165d09e86f4108eec2edc9c9e59b4b1b04a97f6f2b7c1f9789b7ed92e47e9c88e3d8cada195c1

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
220KB

MD5
9756a1b97cc70aef70f12aac03969e93

SHA1
a8090e2318b30a64e18f76e754f792b71fe4fb8f

SHA256
517e2673de37819bff7e1fd82762616405645cdf2a7aeb860009486eb9a69336

SHA512
9a8f9fee5ba5a70592b861fe6a1389858c7c030cc6d0c57a8b224d579219cac10012c487ff42aa72e59407eaddbafea095df967ffe4f8ff0b8dc90abb0d678d5

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
220KB

MD5
7fb8760e46400d80418cb062b1cb4968

SHA1
a9a932632ad2ed5696ae0bca55059cd74f32b6dc

SHA256
23d2dc2ba6637c82cfb01d12565fb5c32120051aa82b286aaff1ac0ade641e01

SHA512
e92dfffba9efd6ec1ba3b219497f9bbe146a9806a0b754825d6df290ca6e9560d752c3a91d1dde91d81d57457a8a09c9d3a379d98a71c7b40cb2fb249805a7d9

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
220KB

MD5
075ef1a6858a9b5eef240cd0f8959908

SHA1
3e0a9ba3365f899f0393192554d0b75281ae46ca

SHA256
c874576acf918605a6b01e8e2f0234c9ad6e24501841c8f41021f259d7abd6b8

SHA512
5c55476a349ae481bf7e1ae036afe8eb1d4dc92f08c9bb47c524fa74b9567dac1e129455a83204dd9c17bd177c349e3832262e9a1a5f8aa44294c30d8e211cbe

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
220KB

MD5
2e22cddb14c4e30f9dcb97ca968df182

SHA1
c8977250abb261d61a456836d0582bb7cba4a1b6

SHA256
d38e9d1cc465f3c19d24480b111e9e6346d45ab5f4fa9e5784bf44fc8709d173

SHA512
5ba2c0d131683ee0811c0bd35f160a8248cacb5cb689f1aaf10cd96e5acedc2bda9aad62840f7a34e5f473939eebdcdc663a02d3d59afb646f406db27cd774cb

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
220KB

MD5
29dfda79f4e011204fa69d28b8b89b08

SHA1
4ba1ca7e142657fc53bdea854331199c4aebf6b6

SHA256
ee4c28b14bd57dd14b72d5df6fe043cad2f8f044d30606826f89340c5def11c1

SHA512
49b24e3687647ea2afe6e51f44a0e8ddaf2608aa42cf7d1a90d08e5e8a3e478c9073551cb4c8ead8456c4ac54eb17ff08cfa52333c49670256470bb2f40bca1e

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
220KB

MD5
ca80b6107549c7bec6cab326d2737529

SHA1
33ee5d85cc57d16c868d7a5c09a844573f1790a9

SHA256
fb2c38476286aa9990de981aa5dfc585da2fa74da69201acb24c68b09ada1902

SHA512
454a4b28334a8979d062542f62e852836bca89c11c7e64f8ea93e434166c114ad4007a97e17d5baf449611247db3929abb1df2fede2d819e5a4904aa453549a5

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
220KB

MD5
c1aeb6a4445810d36532d3d113c5c0ed

SHA1
bef37e63be656e78a58ae41cf7b3c6421903143d

SHA256
98da225b1fe04d18c3f48c2599b07b4992e35c65a33e33bc8c2dac2b4e2ad2bd

SHA512
cd9c9627bdb08cb23dc90f15a7a478b7d3bc2da928643779e4b61084c44be903b1ef793b0b66fbe26fc45203e73c0f2f9c51aadd2958b699fac16b4af5cc0e36

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
220KB

MD5
d6f758fa155ef2c8bf159484fff96879

SHA1
dc4b8e89f83c853c86fbce562ed51a8e125897d6

SHA256
cb16a3d33fb54d54f500fd47f5e85af2f1d5fa02c075a85bad1e0125dd05bf6d

SHA512
d8de5b477d5ce1777342068d120a8f241b48a95ee51c193853fdf557f6f595c5ea160b2c6d31496462d922978a6bf6e262156fd1abf587eb88c44881160c32c7

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
220KB

MD5
30ba9dcac7e32630470f10ce0d657322

SHA1
188b864509d5c76eee71ebccd0ae07231b7f63dd

SHA256
19da4ac815c1ec99141df52594511b542890047225b34d66882852458a5db78c

SHA512
783ff36e426cb2224f683f2044de6afb1009f9d5f47b2757c43a8c1fbd8d6e6ea5c4c4bae87aaf956d79f0410b032a06659eb4672363f02c9fa3cd8ee46087b4

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
220KB

MD5
b364b3c19ef8dadaea904217aafd82ee

SHA1
3ac574b646c749cd1562be62a7b3470a51044b87

SHA256
c9045a84550a1ffed2e396d6d198a46a2648874bb788a4adfd5fd814cb5aa2b1

SHA512
77cd7da09070bbbf85e21852e82397913e71f6bc70d7796655381405b0d315e36df57240ec94a9f5f1657f8ac81570dc6efb78ed8e522b22aee6f88da173d1fd

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
220KB

MD5
4639e4c141aba4cd1ce190370ba537ef

SHA1
14763fe0484dce3799e0867130a80c989ccf86dd

SHA256
a7056e9e621944e01299b11d35967e34bd45c7b83b860789b9393607f3777e09

SHA512
2b8aec2cbd236fe2e5fe73d2a94506281c7d64a12c1d7c22b73e1f72d5e965bbad81b63c16d9c6e676eb867e7df9a537d92981f24d40b76877f9536186bb9850

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
220KB

MD5
acfe1b5c1af5cfbd19e59dbe89f1c235

SHA1
573212132d3a0bdb2516d7da384bfd0b48ac2d57

SHA256
6a1c4403e8189000fbaeb5b0966c84a42fe3951c14aee0be4bdedf20f703e5b0

SHA512
2cc4747e3e600d3f0595033eaf5f48cc76a7572b5d54a8b7b2fb40a3e64afcf4ea2d561c9d39796066694b77d354ef2023336c59a7b4b572b4d39f8307e55900

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
220KB

MD5
7ad2d9ddae5dfe42f25345a57bfc369f

SHA1
88a61ee2738c100e4924398935a28105c4a3e948

SHA256
a9dab162ddc05390e4405266d32ac3ba2d8ec6d0df9f8318ee0e4aa03790db7c

SHA512
578754caa163cbeaaccd2db6f9c873cb73445954c39843eb9d2286f675ba7ae62c973b4d7516c7dbef0c5716ee08be3330ae6a4ff21fc8e4217dfbbcdc77f92c

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
220KB

MD5
39621827d5779b70a2542a98da8e083d

SHA1
4eebe7e5b56098d7064584286cc626d7366ba92f

SHA256
f5960ae78c5f31782ba127f316683c980cdd3d7f2353851aa2aaca94078569d2

SHA512
365f7f04381db7953a8c4ed9e84dbbd3774ca7264b30ca135556cc5913c0b4b7a7faee3a8c10e26e91f541f16de9c88adf53bb85f54710a3ce7644048e995035

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
220KB

MD5
2b1537de4a574b329a4fc0f8188d740e

SHA1
cf14fe239f3c2d31eeb136d7e531b74779dba4bc

SHA256
f81c624db49fb9b419ca442396b38d0d5f57d6e9f1d4b4a57d9274e8b8e15f37

SHA512
84c93000aeb0812c7105c053b7401c4e916b6b7bd4157454f18742ccaea6fa4c36d7927f825563d65e08d61b18306da735369e105619286428a8e9ad3dad3d1b

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
220KB

MD5
f4210fa66d4d0b0d8dc5a86af7a5c4a7

SHA1
cf52c0968a7d8a22266c339a9b050e9de12ec63f

SHA256
1f8340cb56b01bc85802c49dc6fffc3bf8a0349ccefd84ca44d208c365e0d702

SHA512
51d9d539c80be421a4a4998f53d0634134ff028487d0ca4ffaeec7a366d3264a3e14423768271a16e9543dd296aabca4a63572ea8198a5dcde2cdfd651abf07b

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
220KB

MD5
a121be05dde2a9fe0a66cacbd8b43ca6

SHA1
4626062f74b2fe57423d1196ed9a157aa3fda891

SHA256
424200b3d16e8d0361f1c1d9d5148d6a7d4eb10df1783038ed0fc61aeae5082b

SHA512
a76f47e089288f2dd6933fdd4db3f1efc93dc18dd1bae7ed05bb771563df4cae34424a1d66d26e875a4c4e57cc4f2953d7372d90a7437a4ac6d898f93e8c9910

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
220KB

MD5
407604bcef5246fcd2e034f2fa4235fc

SHA1
4fae8a82ac2b34732745c15894267cf306705d5b

SHA256
993f0badd7fe44538c2c0a8a917e437da4cd91e515baf97c46a8e5fb46ac111c

SHA512
4018930f062eb208c82aa33e688e1ab1d8c2622dbdb405fdacf161b55bbafe7abf14c6298d843e1a7b4c68a0d7e32ff745809e233f612eda5c9244ec66b9cf2c

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
220KB

MD5
ae2d2efcc5cf51537b5ab284502242fa

SHA1
7079b821b7cd6fb8ee98379288668ea319cbf641

SHA256
e76701610aedb8ae970c47c565f109dbdd5c1f229280475218480ba96837c035

SHA512
313d2a1865a32702331946c411f282592bdfcb06dede6efec528c79817ba0995d2074b7ca3f1a2e5e547d564664701335d5660d98255295fe9c209b000cb39fa

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
220KB

MD5
96d16b73240ed2fba40c30da0c042a49

SHA1
da473f1d5fb01c7bf7522b94b030e1085a7a628f

SHA256
e26a419012b5debc6722a4f089ca09db1fe4db27172e1a736838162dbda92183

SHA512
131e65a810953b8757536b28d5fbc3e1e6514ceb351ed3267b99d5b90e85c70608cbbd45434764a0dd97f416b73bce2fdd61f8f6762004ed3417f169e9fb04df

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
220KB

MD5
5798369633d1118e8ea86751d86e9f4c

SHA1
283b60257f428236e9fa63e27cb65bef8696574d

SHA256
7cc121fc209135d4f5b92627f5d4e719bdcec8147cc443a41190f8d573ee7fbe

SHA512
581e1a5b6979629652e6eee7d82c4daa3aa5ec698d737e3e5b9ebb33043e1df0bdfec63c100ccf358b91b78f0ec1e9ac25a65f6114ca3462cdc0f1b760741817

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
220KB

MD5
e576fb7b84398582293db1fc52d30a57

SHA1
5dfeb8f0d7d76b27f0f74f3e41e3bb97e46ed56d

SHA256
b432a847c6da98ab7c924e55551c163ac67c3b1e319b9688fdb3a5d2418c172b

SHA512
684a581a293cb809f1b9ed1be26c3b908bd52e9b068e3f324ab4997b7b4fe7416f0bf8d122fbe5e2640344402bd35fdf370de881d392e95e89210a894ba62cd6

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
220KB

MD5
14f89065af36c7ae9d61e5899ed19241

SHA1
a1daeef4e9dfef94bbf747e9a635e2143b04d038

SHA256
6970e89e2cc5ed571a9f6a59d11548c760d72654db177d35b12c11877e9f1dcb

SHA512
98449e0c4b3f0bf937fd7e889bdbe4e0a026d2075384f44f34e9b83a02eff66ff9c9e0ede1b960d7da64cba8e6392836c82e2d1af98ab2afc8b21e53d8f0e3e9

Download Submit
C:\Windows\SysWOW64\Nbgcih32.exe

Filesize
220KB

MD5
5c65cb816baca8aa099ea671a16420d5

SHA1
3d44d4add666fa43ed871c7b3d982e7ef0ea6b22

SHA256
f954ea3f28d37a021729dfc09aa74494d5572da3a5307a0519f0ffcdff05f4a3

SHA512
05d19496035f2fb4eb7b9404cbee6e4b4e2bd098daabfa8dc4e26c0cde723dd7c04034e5ff69aed11c15a4172bb12b9f77bb4a91536cace987f0e1d5499a344a

Download Submit
memory/232-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/364-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads