64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe

Analysis

max time kernel
140s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe
Size

385KB
MD5

f2f700c128a3c5589b7459f8af0fe2f8
SHA1

92dba089607dcfcf7e5fcec5929b3bd07db2ceae
SHA256

64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe
SHA512

52a0ce1ad18775bb2795da5e81812b410c5a393dfbea08e57fc0deec55cc2a33bdf7dea16d2ddf4584f372af6e575f3c2f626f5fca297873788a5a0b00cbcd31
SSDEEP

12288:RAY7hVE588y59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:RAY7hK88y7oWypy7o3y7Ey7oAy7oZyUl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnhnaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdnjfojj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghbbcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdhon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqikmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edplhjhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdhiojo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjbhmad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbmcbime.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdlpneli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mefmimif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdfoio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gododflk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqnbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmmjbkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlpjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfigpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbdopck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllagh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhihdcbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebmekoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkadoiip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcpmen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghaliknf.exe

Detects executables built or packed with MPress PE compressor 61 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321c-8.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002321e-15.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023220-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023222-31.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023224-39.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3608-45-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023218-55.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023229-62.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002322b-69.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002322d-76.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002322f-82.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002323a-118.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002323c-125.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023240-139.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023249-173.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002324d-188.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023254-215.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5028-366-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5104-371-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023258-230.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023256-223.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3468-388-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023252-209.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3872-391-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2420-392-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0003000000022898-202.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3540-397-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002324f-195.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002324b-181.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023247-167.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023245-160.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000200000002289b-153.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023242-146.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002323e-132.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023238-111.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023236-104.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023233-97.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023231-90.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023226-48.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4772-415-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3392-467-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232ad-492.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2060-508-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1208-514-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232b5-515.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1396-533-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/632-554-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1920-562-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/596-597-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1364-605-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4008-614-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232d3-634.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023304-774.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002330e-803.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002331c-844.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000233b5-1369.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000233d2-1456.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000233de-1493.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000233ee-1542.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000234d0-2484.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000236c1-4493.dat	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 64 IoCs

pid	Process
3580	Dkjmlk32.exe
2948	Dhnnep32.exe
4116	Dojcgi32.exe
4432	Ddgkpp32.exe
3608	Echknh32.exe
336	Edihepnm.exe
5028	Ecjhcg32.exe
4476	Edkdkplj.exe
5104	Elbmlmml.exe
1772	Eapedd32.exe
3468	Ednaqo32.exe
1012	Ecoangbg.exe
3872	Ecandfpd.exe
2420	Edbklofb.exe
1612	Fljcmlfd.exe
3540	Fcckif32.exe
4772	Fdegandp.exe
4608	Fkopnh32.exe
3724	Fcfhof32.exe
4876	Ffddka32.exe
4532	Fkalchij.exe
4172	Fchddejl.exe
1452	Ffgqqaip.exe
1056	Fhemmlhc.exe
2240	Fkciihgg.exe
4184	Fbnafb32.exe
1976	Ffimfqgm.exe
1352	Fkffog32.exe
3868	Foabofnn.exe
3224	Fbpnkama.exe
2460	Fdnjgmle.exe
1280	Glebhjlg.exe
4092	Gododflk.exe
4880	Gbbkaako.exe
1664	Glhonj32.exe
4252	Gcagkdba.exe
116	Gdcdbl32.exe
972	Gkmlofol.exe
2648	Gcddpdpo.exe
2364	Gfbploob.exe
4912	Ghaliknf.exe
2072	Gkoiefmj.exe
852	Gcfqfc32.exe
1196	Gbiaapdf.exe
2284	Gmoeoidl.exe
5020	Gomakdcp.exe
4080	Gfgjgo32.exe
5112	Gdjjckag.exe
2532	Hkdbpe32.exe
2592	Hckjacjg.exe
3536	Hfifmnij.exe
2476	Hihbijhn.exe
3436	Hobkfd32.exe
4072	Hflcbngh.exe
1572	Hmfkoh32.exe
3672	Hodgkc32.exe
4028	Hbbdholl.exe
3848	Hfnphn32.exe
2784	Himldi32.exe
4400	Hkkhqd32.exe
1860	Hfqlnm32.exe
2160	Hmjdjgjo.exe
1140	Hoiafcic.exe
3476	Ifefimom.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ghmbno32.exe	Gpfjma32.exe
File created	C:\Windows\SysWOW64\Hnoigi32.dll	Pedlgbkh.exe
File created	C:\Windows\SysWOW64\Kbblcj32.dll	Ekaapi32.exe
File created	C:\Windows\SysWOW64\Lfkgaokd.dll	Fdegandp.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Gkaclqkk.exe	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jbbmmo32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Qljcoj32.exe	Qofcff32.exe
File created	C:\Windows\SysWOW64\Cjjlkk32.exe	Ckilmcgb.exe
File opened for modification	C:\Windows\SysWOW64\Plpjoe32.exe	Poliea32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcidopb.exe	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Hlokddim.dll	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Glebhjlg.exe	Fdnjgmle.exe
File created	C:\Windows\SysWOW64\Fdkggg32.exe	Fkcboack.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Ipbdggii.dll	Ghklce32.exe
File created	C:\Windows\SysWOW64\Ilnbicff.exe	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Kncaec32.exe	Kflide32.exe
File opened for modification	C:\Windows\SysWOW64\Ilnbicff.exe	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Ecqieiii.dll	Acfhad32.exe
File opened for modification	C:\Windows\SysWOW64\Gifkpknp.exe	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jadgnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Helbbkkj.dll	Figgdg32.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File opened for modification	C:\Windows\SysWOW64\Goljqnpd.exe	Ghbbcd32.exe
File created	C:\Windows\SysWOW64\Kffonkgk.dll	Koodbl32.exe
File created	C:\Windows\SysWOW64\Lgdidgjg.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Ncchae32.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Adfdmepn.dll	Ppamophb.exe
File opened for modification	C:\Windows\SysWOW64\Alnmjjdb.exe	Acfhad32.exe
File created	C:\Windows\SysWOW64\Lqmmmmph.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Pijcpmhc.exe
File created	C:\Windows\SysWOW64\Cfigpm32.exe	Bckkca32.exe
File created	C:\Windows\SysWOW64\Gbchdp32.exe	Glgcbf32.exe
File created	C:\Windows\SysWOW64\Bdepoj32.dll	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Fnkfmm32.exe	Finnef32.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Jomdjhoo.dll	Nlglfe32.exe
File created	C:\Windows\SysWOW64\Akcoajfm.dll	Hibjli32.exe
File created	C:\Windows\SysWOW64\Lcdciiec.exe	Lpfgmnfp.exe
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Kefiopki.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Oenlqi32.exe	Ooagno32.exe
File created	C:\Windows\SysWOW64\Fpcqcp32.dll	Ggpbjkpl.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Gbpedjnb.exe	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Qaflgago.exe	Qljcoj32.exe
File opened for modification	C:\Windows\SysWOW64\Eblimcdf.exe	Ekaapi32.exe
File created	C:\Windows\SysWOW64\Hfjjlc32.dll	Fflohaij.exe
File created	C:\Windows\SysWOW64\Ljnlecmp.exe	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Llgdkbfj.dll	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Bgmioggn.dll	Fpbflg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Lbfecjhc.dll	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Loeolc32.exe	Lemkcnaa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noeahkfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll"	Nbnpcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll"	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edbklofb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemic32.dll"	Igqkqiai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpaoopf.dll"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqpnpgeo.dll"	Mojhgbdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlghq32.dll"	Hoogfnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Midfokpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbinam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liaolo32.dll"	Bjnmpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Echknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll"	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgbchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbliicp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcjel32.dll"	Ocamjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgccinoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nipekiep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll"	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnohlgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ochamg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijadbdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Pfagighf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknlanaa.dll"	Gkglja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll"	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npgabc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfjcnold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neppokal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfifmnij.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3580	4264	64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe	86
PID 4264 wrote to memory of 3580	4264	64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe	86
PID 4264 wrote to memory of 3580	4264	64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe	86
PID 3580 wrote to memory of 2948	3580	Dkjmlk32.exe	88
PID 3580 wrote to memory of 2948	3580	Dkjmlk32.exe	88
PID 3580 wrote to memory of 2948	3580	Dkjmlk32.exe	88
PID 2948 wrote to memory of 4116	2948	Dhnnep32.exe	89
PID 2948 wrote to memory of 4116	2948	Dhnnep32.exe	89
PID 2948 wrote to memory of 4116	2948	Dhnnep32.exe	89
PID 4116 wrote to memory of 4432	4116	Dojcgi32.exe	90
PID 4116 wrote to memory of 4432	4116	Dojcgi32.exe	90
PID 4116 wrote to memory of 4432	4116	Dojcgi32.exe	90
PID 4432 wrote to memory of 3608	4432	Ddgkpp32.exe	91
PID 4432 wrote to memory of 3608	4432	Ddgkpp32.exe	91
PID 4432 wrote to memory of 3608	4432	Ddgkpp32.exe	91
PID 3608 wrote to memory of 336	3608	Echknh32.exe	92
PID 3608 wrote to memory of 336	3608	Echknh32.exe	92
PID 3608 wrote to memory of 336	3608	Echknh32.exe	92
PID 336 wrote to memory of 5028	336	Edihepnm.exe	94
PID 336 wrote to memory of 5028	336	Edihepnm.exe	94
PID 336 wrote to memory of 5028	336	Edihepnm.exe	94
PID 5028 wrote to memory of 4476	5028	Ecjhcg32.exe	95
PID 5028 wrote to memory of 4476	5028	Ecjhcg32.exe	95
PID 5028 wrote to memory of 4476	5028	Ecjhcg32.exe	95
PID 4476 wrote to memory of 5104	4476	Edkdkplj.exe	96
PID 4476 wrote to memory of 5104	4476	Edkdkplj.exe	96
PID 4476 wrote to memory of 5104	4476	Edkdkplj.exe	96
PID 5104 wrote to memory of 1772	5104	Elbmlmml.exe	97
PID 5104 wrote to memory of 1772	5104	Elbmlmml.exe	97
PID 5104 wrote to memory of 1772	5104	Elbmlmml.exe	97
PID 1772 wrote to memory of 3468	1772	Eapedd32.exe	98
PID 1772 wrote to memory of 3468	1772	Eapedd32.exe	98
PID 1772 wrote to memory of 3468	1772	Eapedd32.exe	98
PID 3468 wrote to memory of 1012	3468	Ednaqo32.exe	99
PID 3468 wrote to memory of 1012	3468	Ednaqo32.exe	99
PID 3468 wrote to memory of 1012	3468	Ednaqo32.exe	99
PID 1012 wrote to memory of 3872	1012	Ecoangbg.exe	100
PID 1012 wrote to memory of 3872	1012	Ecoangbg.exe	100
PID 1012 wrote to memory of 3872	1012	Ecoangbg.exe	100
PID 3872 wrote to memory of 2420	3872	Ecandfpd.exe	101
PID 3872 wrote to memory of 2420	3872	Ecandfpd.exe	101
PID 3872 wrote to memory of 2420	3872	Ecandfpd.exe	101
PID 2420 wrote to memory of 1612	2420	Edbklofb.exe	102
PID 2420 wrote to memory of 1612	2420	Edbklofb.exe	102
PID 2420 wrote to memory of 1612	2420	Edbklofb.exe	102
PID 1612 wrote to memory of 3540	1612	Fljcmlfd.exe	103
PID 1612 wrote to memory of 3540	1612	Fljcmlfd.exe	103
PID 1612 wrote to memory of 3540	1612	Fljcmlfd.exe	103
PID 3540 wrote to memory of 4772	3540	Fcckif32.exe	104
PID 3540 wrote to memory of 4772	3540	Fcckif32.exe	104
PID 3540 wrote to memory of 4772	3540	Fcckif32.exe	104
PID 4772 wrote to memory of 4608	4772	Fdegandp.exe	105
PID 4772 wrote to memory of 4608	4772	Fdegandp.exe	105
PID 4772 wrote to memory of 4608	4772	Fdegandp.exe	105
PID 4608 wrote to memory of 3724	4608	Fkopnh32.exe	106
PID 4608 wrote to memory of 3724	4608	Fkopnh32.exe	106
PID 4608 wrote to memory of 3724	4608	Fkopnh32.exe	106
PID 3724 wrote to memory of 4876	3724	Fcfhof32.exe	107
PID 3724 wrote to memory of 4876	3724	Fcfhof32.exe	107
PID 3724 wrote to memory of 4876	3724	Fcfhof32.exe	107
PID 4876 wrote to memory of 4532	4876	Ffddka32.exe	108
PID 4876 wrote to memory of 4532	4876	Ffddka32.exe	108
PID 4876 wrote to memory of 4532	4876	Ffddka32.exe	108
PID 4532 wrote to memory of 4172	4532	Fkalchij.exe	109

C:\Users\Admin\AppData\Local\Temp\64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe
"C:\Users\Admin\AppData\Local\Temp\64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\Dkjmlk32.exe
  C:\Windows\system32\Dkjmlk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SysWOW64\Dhnnep32.exe
    C:\Windows\system32\Dhnnep32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Dojcgi32.exe
      C:\Windows\system32\Dojcgi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        24⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        25⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        26⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        27⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        28⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        29⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        30⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        33⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        35⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        36⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        38⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        39⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        41⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        43⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        44⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        45⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        46⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        47⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        48⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        49⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        51⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        54⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        55⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        56⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        58⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        61⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        62⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        63⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        64⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        65⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        67⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        68⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        69⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        70⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        71⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3392
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        73⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        74⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        75⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        76⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        77⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        78⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        79⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        81⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        83⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        84⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Ekefmc32.exe
        
        C:\Windows\system32\Ekefmc32.exe
        85⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Eoekia32.exe
        
        C:\Windows\system32\Eoekia32.exe
        86⤵
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Fhbimf32.exe
        
        C:\Windows\system32\Fhbimf32.exe
        87⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Fkqeib32.exe
        
        C:\Windows\system32\Fkqeib32.exe
        88⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Fefjfked.exe
        
        C:\Windows\system32\Fefjfked.exe
        89⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Fhdfbfdh.exe
        
        C:\Windows\system32\Fhdfbfdh.exe
        90⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Fkcboack.exe
        
        C:\Windows\system32\Fkcboack.exe
        91⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        92⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Gaogak32.exe
        
        C:\Windows\system32\Gaogak32.exe
        93⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Gkglja32.exe
        
        C:\Windows\system32\Gkglja32.exe
        94⤵
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Gnfhfl32.exe
        
        C:\Windows\system32\Gnfhfl32.exe
        95⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Ghklce32.exe
        
        C:\Windows\system32\Ghklce32.exe
        96⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        97⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Gohaeo32.exe
        
        C:\Windows\system32\Gohaeo32.exe
        98⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Gafmaj32.exe
        
        C:\Windows\system32\Gafmaj32.exe
        99⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Ggcfja32.exe
        
        C:\Windows\system32\Ggcfja32.exe
        100⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\Gnmnfkia.exe
        
        C:\Windows\system32\Gnmnfkia.exe
        101⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Ghbbcd32.exe
        
        C:\Windows\system32\Ghbbcd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Goljqnpd.exe
        
        C:\Windows\system32\Goljqnpd.exe
        103⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hdicienl.exe
        
        C:\Windows\system32\Hdicienl.exe
        104⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Hoogfnnb.exe
        
        C:\Windows\system32\Hoogfnnb.exe
        105⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Hdlpneli.exe
        
        C:\Windows\system32\Hdlpneli.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Hkehkocf.exe
        
        C:\Windows\system32\Hkehkocf.exe
        108⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Hbpphi32.exe
        
        C:\Windows\system32\Hbpphi32.exe
        109⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Hhihdcbp.exe
        
        C:\Windows\system32\Hhihdcbp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Hnfamjqg.exe
        
        C:\Windows\system32\Hnfamjqg.exe
        111⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Hdpiid32.exe
        
        C:\Windows\system32\Hdpiid32.exe
        112⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hofmfmhj.exe
        
        C:\Windows\system32\Hofmfmhj.exe
        113⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Hfpecg32.exe
        
        C:\Windows\system32\Hfpecg32.exe
        114⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Hkmnln32.exe
        
        C:\Windows\system32\Hkmnln32.exe
        115⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Inmgmijo.exe
        
        C:\Windows\system32\Inmgmijo.exe
        116⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Idgojc32.exe
        
        C:\Windows\system32\Idgojc32.exe
        117⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Idjlpc32.exe
        
        C:\Windows\system32\Idjlpc32.exe
        118⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Ibpiogmp.exe
        
        C:\Windows\system32\Ibpiogmp.exe
        119⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Lpneegel.exe
        
        C:\Windows\system32\Lpneegel.exe
        120⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Lhijijbg.exe
        
        C:\Windows\system32\Lhijijbg.exe
        121⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lbnngbbn.exe
        
        C:\Windows\system32\Lbnngbbn.exe
        122⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Lemkcnaa.exe
        
        C:\Windows\system32\Lemkcnaa.exe
        123⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Loeolc32.exe
        
        C:\Windows\system32\Loeolc32.exe
        124⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Lbchba32.exe
        
        C:\Windows\system32\Lbchba32.exe
        125⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Mojhgbdl.exe
        
        C:\Windows\system32\Mojhgbdl.exe
        126⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Miomdk32.exe
        
        C:\Windows\system32\Miomdk32.exe
        127⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Mefmimif.exe
        
        C:\Windows\system32\Mefmimif.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Moobbb32.exe
        
        C:\Windows\system32\Moobbb32.exe
        129⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Midfokpm.exe
        
        C:\Windows\system32\Midfokpm.exe
        130⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mblkhq32.exe
        
        C:\Windows\system32\Mblkhq32.exe
        131⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mfjcnold.exe
        
        C:\Windows\system32\Mfjcnold.exe
        132⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Nlglfe32.exe
        
        C:\Windows\system32\Nlglfe32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        134⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Nlihle32.exe
        
        C:\Windows\system32\Nlihle32.exe
        135⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Nohehq32.exe
        
        C:\Windows\system32\Nohehq32.exe
        136⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Npgabc32.exe
        
        C:\Windows\system32\Npgabc32.exe
        138⤵
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Nipekiep.exe
        
        C:\Windows\system32\Nipekiep.exe
        139⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Npjnhc32.exe
        
        C:\Windows\system32\Npjnhc32.exe
        140⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Neffpj32.exe
        
        C:\Windows\system32\Neffpj32.exe
        141⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Nplkmckj.exe
        
        C:\Windows\system32\Nplkmckj.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ogfcjm32.exe
        
        C:\Windows\system32\Ogfcjm32.exe
        143⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Oidofh32.exe
        
        C:\Windows\system32\Oidofh32.exe
        144⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Ooagno32.exe
        
        C:\Windows\system32\Ooagno32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Oenlqi32.exe
        
        C:\Windows\system32\Oenlqi32.exe
        146⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Olgemcli.exe
        
        C:\Windows\system32\Olgemcli.exe
        147⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ocamjm32.exe
        
        C:\Windows\system32\Ocamjm32.exe
        148⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Oohnonij.exe
        
        C:\Windows\system32\Oohnonij.exe
        149⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Oebflhaf.exe
        
        C:\Windows\system32\Oebflhaf.exe
        150⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ollnhb32.exe
        
        C:\Windows\system32\Ollnhb32.exe
        151⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ookjdn32.exe
        
        C:\Windows\system32\Ookjdn32.exe
        152⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        153⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Pomgjn32.exe
        
        C:\Windows\system32\Pomgjn32.exe
        154⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Pfgogh32.exe
        
        C:\Windows\system32\Pfgogh32.exe
        155⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Phelcc32.exe
        
        C:\Windows\system32\Phelcc32.exe
        156⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Poodpmca.exe
        
        C:\Windows\system32\Poodpmca.exe
        157⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Pgflqkdd.exe
        
        C:\Windows\system32\Pgflqkdd.exe
        158⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Pjehmfch.exe
        
        C:\Windows\system32\Pjehmfch.exe
        159⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        160⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Pgihfj32.exe
        
        C:\Windows\system32\Pgihfj32.exe
        161⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Phjenbhp.exe
        
        C:\Windows\system32\Phjenbhp.exe
        162⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        163⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Pcpikkge.exe
        
        C:\Windows\system32\Pcpikkge.exe
        164⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Phlacbfm.exe
        
        C:\Windows\system32\Phlacbfm.exe
        165⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Pofjpl32.exe
        
        C:\Windows\system32\Pofjpl32.exe
        166⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Qgnbaj32.exe
        
        C:\Windows\system32\Qgnbaj32.exe
        167⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        168⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Gkiaej32.exe
        
        C:\Windows\system32\Gkiaej32.exe
        169⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Gnhnaf32.exe
        
        C:\Windows\system32\Gnhnaf32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Ghmbno32.exe
        
        C:\Windows\system32\Ghmbno32.exe
        172⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        173⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Ginnfgop.exe
        
        C:\Windows\system32\Ginnfgop.exe
        174⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        175⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        176⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Ggbook32.exe
        
        C:\Windows\system32\Ggbook32.exe
        177⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Gdfoio32.exe
        
        C:\Windows\system32\Gdfoio32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Hkpheidp.exe
        
        C:\Windows\system32\Hkpheidp.exe
        179⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        180⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Hpmpnp32.exe
        
        C:\Windows\system32\Hpmpnp32.exe
        181⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Hhdhon32.exe
        
        C:\Windows\system32\Hhdhon32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        183⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        184⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        185⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        186⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Hncmmd32.exe
        
        C:\Windows\system32\Hncmmd32.exe
        187⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Hpbiip32.exe
        
        C:\Windows\system32\Hpbiip32.exe
        188⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        189⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Igqkqiai.exe
        
        C:\Windows\system32\Igqkqiai.exe
        190⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Ijogmdqm.exe
        
        C:\Windows\system32\Ijogmdqm.exe
        191⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        192⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ihphkl32.exe
        
        C:\Windows\system32\Ihphkl32.exe
        193⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ijadbdoj.exe
        
        C:\Windows\system32\Ijadbdoj.exe
        194⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        195⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        196⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Kqnbkl32.exe
        
        C:\Windows\system32\Kqnbkl32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Kiggbhda.exe
        
        C:\Windows\system32\Kiggbhda.exe
        198⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        199⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        200⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Kgmcce32.exe
        
        C:\Windows\system32\Kgmcce32.exe
        201⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Kjkpoq32.exe
        
        C:\Windows\system32\Kjkpoq32.exe
        202⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        203⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Kilpmh32.exe
        
        C:\Windows\system32\Kilpmh32.exe
        204⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        205⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        206⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Kgamnded.exe
        
        C:\Windows\system32\Kgamnded.exe
        207⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Lbinam32.exe
        
        C:\Windows\system32\Lbinam32.exe
        208⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Lbkkgl32.exe
        
        C:\Windows\system32\Lbkkgl32.exe
        209⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Lnbklm32.exe
        
        C:\Windows\system32\Lnbklm32.exe
        210⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        211⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        212⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Lbpdblmo.exe
        
        C:\Windows\system32\Lbpdblmo.exe
        213⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        215⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        216⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        217⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        218⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        219⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Nbnpcj32.exe
        
        C:\Windows\system32\Nbnpcj32.exe
        220⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nemmoe32.exe
        
        C:\Windows\system32\Nemmoe32.exe
        221⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Noeahkfc.exe
        
        C:\Windows\system32\Noeahkfc.exe
        222⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        223⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        224⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        225⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        226⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        227⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        228⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        229⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        230⤵
        Drops file in System32 directory
        
        PID:7712
        
        C:\Windows\SysWOW64\Phbhcmjl.exe
        
        C:\Windows\system32\Phbhcmjl.exe
        231⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7832
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        234⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Pkcadhgm.exe
        
        C:\Windows\system32\Pkcadhgm.exe
        235⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7996
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        238⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        239⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        240⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        241⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Alnmjjdb.exe
        
        C:\Windows\system32\Alnmjjdb.exe
        242⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Aakebqbj.exe
        
        C:\Windows\system32\Aakebqbj.exe
        243⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Alqjpi32.exe
        
        C:\Windows\system32\Alqjpi32.exe
        244⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Aoofle32.exe
        
        C:\Windows\system32\Aoofle32.exe
        245⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Afinioip.exe
        
        C:\Windows\system32\Afinioip.exe
        246⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        247⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Aoabad32.exe
        
        C:\Windows\system32\Aoabad32.exe
        248⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        249⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        250⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Acokhc32.exe
        
        C:\Windows\system32\Acokhc32.exe
        251⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Bhldpj32.exe
        
        C:\Windows\system32\Bhldpj32.exe
        252⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        253⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Bbdhiojo.exe
        
        C:\Windows\system32\Bbdhiojo.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7280
        
        C:\Windows\SysWOW64\Bjlpjm32.exe
        
        C:\Windows\system32\Bjlpjm32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7424
        
        C:\Windows\SysWOW64\Bkmmaeap.exe
        
        C:\Windows\system32\Bkmmaeap.exe
        256⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        257⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Bjnmpl32.exe
        
        C:\Windows\system32\Bjnmpl32.exe
        258⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        259⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        260⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Bjpjel32.exe
        
        C:\Windows\system32\Bjpjel32.exe
        261⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        262⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        263⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        264⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Bheffh32.exe
        
        C:\Windows\system32\Bheffh32.exe
        265⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Bkdcbd32.exe
        
        C:\Windows\system32\Bkdcbd32.exe
        266⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        267⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Cfigpm32.exe
        
        C:\Windows\system32\Cfigpm32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7328
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        269⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ckfphc32.exe
        
        C:\Windows\system32\Ckfphc32.exe
        270⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        271⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        272⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Ckilmcgb.exe
        
        C:\Windows\system32\Ckilmcgb.exe
        273⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        274⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        275⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        276⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Cfqmpl32.exe
        
        C:\Windows\system32\Cfqmpl32.exe
        277⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        278⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        279⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        280⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        281⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Ckpbnb32.exe
        
        C:\Windows\system32\Ckpbnb32.exe
        282⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Dbjkkl32.exe
        
        C:\Windows\system32\Dbjkkl32.exe
        283⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        284⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Dcigeooj.exe
        
        C:\Windows\system32\Dcigeooj.exe
        285⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Difpmfna.exe
        
        C:\Windows\system32\Difpmfna.exe
        286⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Dkdliame.exe
        
        C:\Windows\system32\Dkdliame.exe
        287⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        288⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        289⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9000
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        291⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Dlieda32.exe
        
        C:\Windows\system32\Dlieda32.exe
        292⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9112
        
        C:\Windows\SysWOW64\Dfoiaj32.exe
        
        C:\Windows\system32\Dfoiaj32.exe
        294⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        295⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        296⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        297⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Eiobceef.exe
        
        C:\Windows\system32\Eiobceef.exe
        298⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        299⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        300⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        301⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        302⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        303⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        304⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        305⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        306⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        307⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        308⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        309⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Kqdaadln.exe
        
        C:\Windows\system32\Kqdaadln.exe
        310⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        311⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        312⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        313⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        314⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8380
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        316⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9184
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        318⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        319⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        320⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        321⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        322⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        323⤵
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        324⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        325⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        326⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        327⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        328⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        329⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        330⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        331⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        332⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Poliea32.exe
        
        C:\Windows\system32\Poliea32.exe
        333⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        334⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        335⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9068
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        337⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        338⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        339⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        340⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        341⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        342⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        343⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        344⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        345⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        346⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        347⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        348⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        349⤵
        Drops file in System32 directory
        
        PID:8708
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        350⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        351⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        352⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        353⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        354⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        355⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        356⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        357⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        358⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        359⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        360⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        361⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        362⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        363⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        364⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        365⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        366⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        367⤵
        Drops file in System32 directory
        
        PID:8320
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        369⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        370⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        371⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        372⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        373⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        374⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        375⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        376⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        377⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        378⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3840
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        379⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        380⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        381⤵
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        382⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        383⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        384⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        385⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        386⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        387⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        388⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        389⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        390⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        391⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        392⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        393⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        394⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        395⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        396⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3740
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        397⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        398⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        399⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        400⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        401⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        402⤵
        Drops file in System32 directory
        
        PID:9028
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        403⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        404⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        405⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        406⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        407⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        408⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        409⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        410⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        411⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        412⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        413⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        414⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        415⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        416⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        417⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        418⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        419⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        420⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        421⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        422⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        423⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        424⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        425⤵
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        426⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        427⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        428⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        429⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        430⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        431⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        432⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        433⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        434⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        435⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        436⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        437⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        438⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        439⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        440⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        441⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        442⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        443⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        444⤵
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        445⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        446⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        447⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        448⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        449⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        450⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        451⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        452⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        453⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        454⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        455⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        456⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        457⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        458⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        459⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        460⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        461⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        462⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        463⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        464⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        465⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        466⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        467⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        468⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        469⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        470⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        471⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        472⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        473⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        474⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        475⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        476⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        477⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        478⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        479⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        480⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        481⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        482⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        483⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        484⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        485⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        486⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        487⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        488⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        489⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        490⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        491⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        492⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        493⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        494⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        495⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        496⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        497⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        498⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        499⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        500⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        501⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        502⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        503⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        504⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        505⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        506⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        507⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        508⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        509⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        510⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        511⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        512⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        513⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        514⤵
        Modifies registry class
        
        PID:9260
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        515⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        516⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        517⤵
        Drops file in System32 directory
        
        PID:9376
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        518⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        519⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        520⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        521⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        522⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9596
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        523⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        524⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        525⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        526⤵
        Drops file in System32 directory
        
        PID:9768
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        527⤵
        Drops file in System32 directory
        
        PID:9808
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        528⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        529⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        530⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        531⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        532⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        533⤵
        Modifies registry class
        
        PID:10052
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        534⤵
        Modifies registry class
        
        PID:10096
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        535⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10140
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        536⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        537⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        538⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        539⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        540⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        541⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        542⤵
        Drops file in System32 directory
        
        PID:9756
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        543⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        544⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9952
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        546⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        547⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        548⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        549⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        550⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        551⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        552⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        553⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        554⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        555⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        556⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        557⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        558⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        559⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        560⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        561⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        562⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        563⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        564⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        565⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        566⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        567⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        568⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        569⤵
        Drops file in System32 directory
        
        PID:9412
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        570⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        571⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        572⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        573⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        574⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        575⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        576⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        577⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        578⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        579⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        580⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        581⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        582⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        583⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        584⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        585⤵
        Modifies registry class
        
        PID:10120
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        586⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        587⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        588⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        589⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        590⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        591⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        592⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        593⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        594⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        595⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        596⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        597⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        598⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        599⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        600⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        601⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        602⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        603⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        604⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        605⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        606⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        607⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        608⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        609⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        610⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        611⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        612⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        613⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        614⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        615⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        616⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        617⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        618⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        619⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        620⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        621⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8440
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        622⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        623⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        624⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        625⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        626⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        627⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        628⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        629⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        630⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        631⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        632⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        633⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        634⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        635⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        636⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        637⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        638⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        639⤵
        Modifies registry class
        
        PID:7868
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        640⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        641⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9036
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        642⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        643⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        644⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        645⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        646⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        647⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        648⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        649⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        650⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        651⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        652⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        653⤵
        Modifies registry class
        
        PID:9676
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        654⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        655⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        656⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        657⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        658⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        659⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        660⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        661⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        662⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        663⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        664⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        665⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        666⤵
        Drops file in System32 directory
        
        PID:8264
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        667⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        668⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        669⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        670⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        671⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        672⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        673⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        674⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        675⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        676⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        677⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        678⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        679⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        680⤵
        Modifies registry class
        
        PID:8872
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        681⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1900
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        682⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        683⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        684⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        685⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        686⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        687⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        688⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        689⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        690⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        691⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        692⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        693⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        694⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        695⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        696⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        697⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        698⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        699⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2948
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        700⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        701⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        702⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        703⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        704⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        705⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        706⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        707⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        708⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8940
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        709⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        710⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8800
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        711⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        712⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        713⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        714⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        715⤵
        Modifies registry class
        
        PID:9124
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        716⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        717⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        718⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        719⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1064
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        720⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        721⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        722⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        723⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        724⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        725⤵
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        726⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        727⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        728⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        729⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        730⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        731⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        732⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        733⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        734⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        735⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        736⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        737⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        738⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7944
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        739⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        740⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        741⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        742⤵
        
        PID:8592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
385KB

MD5
4fa252a615ccbfd7cd15b471a816bef6

SHA1
d3edcc0e5d2e0b71d613f590b6cea6b4ab017cd7

SHA256
2f6397a354b9b9b075f31b290e53147a3ff5411e95780538054f5b267d48c25c

SHA512
31f72edc0fbca8c5e8dba7e90d35207767c9a12aa9ccac5dae54f501c9903d7479e96267b82126abb66872ac977cfe94913c186c108907a5dcb1f2b16619847d

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
385KB

MD5
21f982e1154d2fb4201e1ce685b0384e

SHA1
3985ffd86a13772ebfbbc32e461072780b13d09f

SHA256
34d2dc70ba34c7f3e30ab4281d24a8918f568ad02a2d10ea90915313590fc41b

SHA512
a406e2e577d3c283cc8c0f584d2f0f0804e57503200a91b986ebb6d592d160b1bc2449eb201a6e6391436d6468c1091c90bec4643980892efc744225a4842ddf

Download Submit
C:\Windows\SysWOW64\Ddgkpp32.exe

Filesize
385KB

MD5
5c96386c43892423bbec17ca0b5ee766

SHA1
ea1aed18b2fa3d19d4cb940ae6e545aeb0233a25

SHA256
c2b31037f59dda324447103ab223d6efa53e887644e111135ade71df177f92a1

SHA512
4e848daf622bb504c982513da481e06ee856acb3ac87ae420ea7bc8cd835a9bade6bbb1074f75e9628e46fe24dd75c611e113cc5fe3375442b74d2070cdf056f

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
385KB

MD5
dfe0fc5d9a4c14cf1303ff140ac680c9

SHA1
830e01537e742180635d93cdfbba70556ffcb1d9

SHA256
d6d6349591c3850e4257debc57d2e5519ca179767ab1fe05b504ca0f2b924e20

SHA512
ebc03d2c797dacd177e2b2da368bc828e6f9a2d28d0b4f7cc1e1cd114dc13cd6e5f3f98b33436ff2fc8a4632c8b8cb5f10b35e4ef2e8435b1aa628b49ab465df

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
385KB

MD5
9e864385a658c8bb4dc268e527bb96ee

SHA1
40956bf3c037e4b92295bfd6448e09d982fed3de

SHA256
a132b30e86537e6d329a4ce5aea8cd2130508b015d4b948a774de82cabc61c18

SHA512
89ebd04364b1c25c88caa3872ec18f4b4e1c1cb2d0aa01ade6b77029367aabe7dd81507e6ffdc31c5cee1b41f9495f31268fb09962aec2e08ff007816d323ac7

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
385KB

MD5
c505807d1c4d61fdd4ce9b9c8f058fe3

SHA1
0003a38c934755de4157550ade6327066b99f4f4

SHA256
c7a3ee448f1ec728a3d383be08b562f1a397f4a5ddc503cdba29ed46b765714c

SHA512
f79527663842054ee1a913cae212d5ca2c3290b09dd472b7a998dfda261a6cd921536d5ddd8921a97109d8f04b7bbae87df9699a027a0eeacfe9bdf2a0fafd34

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
385KB

MD5
9778a0293053a503829c7d8b6cf7f478

SHA1
d75d8d812b0dc5ea439fd4824332a385098d85d7

SHA256
a94300d4f57c24c2cf86e0921f8dabc5a1c8b6e518486622aad26a23d0405cbb

SHA512
1d6545c93c2342c948fc2dd4429023b206bdf19883615875c9f4fd03bd9318ad83c2f276e602526cabc0a392102dfdd48df6e06378583536288e78a87b235a60

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
385KB

MD5
6a96fed447ff0d1f866abd11f5401172

SHA1
e7cd82921a0fd6e0eb1d2dbf8fa09eb0e7eaa9ac

SHA256
d3d44332603554e2efdb76a6b6954f054ebd450caef331e6182d27bb818b0288

SHA512
b8163b9815adbccd108b0fb485799c5e3b2ca9f024dac5214c79beb4688dcb2b84fd25bed99991e5a0a91b97d06a4bc5d9175e2fd2dd222900eeb087f56837b4

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
385KB

MD5
ce4f4d606cfca7885f6291a145b8659e

SHA1
c6bd2cca8e247d823e87d8ccade4012fea052ade

SHA256
1ca8b638083f3c37f82889d48da48ae48f1e1c70556174d6599e20d684abaee9

SHA512
db43d3f312a0d811b38584bfe9426e29dbe63876513b04ab12a73ad6963045133eea52ea61c60d6f04a5dee219835d460c02c5c37ec55b47f4302f1914ac5e57

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
385KB

MD5
1abd2bb4b10903b7c19989ca56634b12

SHA1
165c4aba746f1ecb5e74f90a0ca5df1a9a066487

SHA256
30b13e300af5c0b452a3689e5c8ea7f2eb56cc54ecc2e934029b50aa97c13f1d

SHA512
378a22bd9a6cfac98911937bcfde5f20480fbc04bf7f2d6ff11b15ff11421403a17fab0a82e327e310f9ea5f339d60c7704749a02247e636e53b81c3976f09ef

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
385KB

MD5
64b102e18d71b5f3b419cf6e707bd3b5

SHA1
5dfae6c879718192f3d83781b5dc593fa0287c6f

SHA256
24ba5e396bc6fcfd4e9c4abb94b9fc0249f2363ab259c7cf02fbc792f73aa88c

SHA512
ca365f014257172f2fc2765cf8c387987873640a5c121584298b65f72e4a1861b304844b955c66dfbfe9a4c1319d9be98b53f5a3a99614a527959167e9ae42f7

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
385KB

MD5
c4cffc8fb67d5d21a31e7ca7b3f597e2

SHA1
3cc64a60954940ad89d1872fe1e49f578bbb5ed9

SHA256
fe031c8b2e9d1ba2abf33aa6c5732fc51818bf688452b68c7996340787120281

SHA512
cedfe3c64f9117009583ff00da28730f233f005a150bb6bfe5a33e01993d23f8be9ec0021017d4b7eed7632b8cfd666c581e22905365602748fe1662dc9f8d76

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
385KB

MD5
154a4f2234348bb03347c66df18e9207

SHA1
da98801068af1e792ed3fd55847aee26502c4a53

SHA256
d1af6253f5c9ec1e4cae3af982c2f26b5c53cc1e0bbcc6f9f5490dc4b9f6fde1

SHA512
39571676b1de497dc2ff13f945018c7745728e603c96d67a2fbf4936543db2425c0815e437663fa61e0516e4e4534c2d44bcb58521fb0ad1a6fa10345c28660e

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
385KB

MD5
12c4ba98da88f4dc9d01bc82b254fd56

SHA1
3d5c88b0cc479893f2c1c010c9f80391a5ab76d5

SHA256
3f7913161aeb3ff18f9a2391fcd2838d632c72b9737d3bbff6f3b3d031571388

SHA512
a1539e02d1ea16823219f75e4a174386b6bd696924eb32afbda0d7b904d87120a82c0f7abcba133202b756bb853189485b73c9549f213f2d3af41c1568a1398c

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
385KB

MD5
703860b58149955f1c9296ee7efcaac2

SHA1
d36900bc009bbec42f81012ea6dd655838619d60

SHA256
c181551a14648973a26de4c843509b03b8496f96943d03099e124c6b4177e1f5

SHA512
0d5581aebf2f79dd8ecd5fd74951928810657c0fa6fca155a8e83cc577e6e4827f606d4c3e87923f80fa2692cbee3cfd481aa557736dc83f715a5c224cbb2694

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
385KB

MD5
3e7de643fe492c2de7e2f963cb606107

SHA1
d6f08c9f86308dcf7b874cfe2baf2edfcfde595f

SHA256
49f5044c884d1dd71cd53e6c04225d25f51396f65af364585a2c0ff5b3df0ea8

SHA512
f4434c417b72179974da5a69af7fbad9ad7c9ea52c666ca8aabec90f1ae012ae107bd4ba33ede70f52e9d112447d00ff3ce936417372ff170bc249852023cfb5

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
385KB

MD5
960d768f94320777f6c2924213d4c427

SHA1
3cd93c3d0dac35b74499ae0cf1f29e0c15ff79df

SHA256
04279903b21b62c7feb8ec3f669c0c03694d773fa14a1ea56cfa5d579b88f13a

SHA512
16ea1d420d8ca80f255b6b6c67a11bc9b8c71c472312e2f351938b25a85e816593f0bd9c9069185ae2fc70b311a24cc3a577f29b2f0480c173838dda32768dca

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
385KB

MD5
b378e17014c7c73aaa2631c5a9a28c78

SHA1
f01f461c05117128fbd5a32368df678707123990

SHA256
30d03b053cc22e50fb6840dd39d0d12a5a20867b1883aa32a8441f7911dd27ac

SHA512
fdb545de5872fb37b2bd4866138efeb67e74c1de58f56e4c1dbcbf9c8122b37933666a2dab6a37831e53cbadf0e6f5386fb37c8b958d44694a71fbfee09f9612

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
385KB

MD5
17dd7a17ba990fe0ee2408dc5171e8b8

SHA1
8edb2067bcab13771ae4db94d9f77e4560814796

SHA256
8173dd152902de43c01c153b6d20bb776047f438c5ccbc760414ad928491cf2d

SHA512
da4ebb88f1fa8a80cd15fb8df725aa7609f75fe122f278d0babceb71e4adb027383618013f15eb0c005fa38b68e8aed945ba6b520dba469d28e9f1744bf1c488

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
385KB

MD5
19420bfaf20cd6db1d5366257e9e68e7

SHA1
7f12b1652e1438675c0de6a4c3a8e15973cdafbd

SHA256
114669dfd906b83042165449f20bd6cc8d32b06b8cd6c895e1a2ec90c814b233

SHA512
af00256423f9a5d85deec7283b9512c3537fa161f77b72c58c4f97283114cdc257fedf03334e934061d18ef473c3c0927362e8d009969a70c89c8c1a7ebab310

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
385KB

MD5
959e4c9d77dbac7a4046c90e7d026a47

SHA1
5310225cbbc95ca84fa0d2fbc7782109e4d703bb

SHA256
3bb7f4446a91a9d6535b712761ac9308413cbe1ca08ab02c9f6ce0b78050ba56

SHA512
faaa420a4eb3199fe23f997d529d5bc87896acfbd5cb805222ee65a74d2a4fad0ee5cbfa2bcb4dc40b849a082f39fb7b53dd9c438c2fd21fcaed69abc57e792f

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
385KB

MD5
fa227b228af06a0ed71673fa58a15d15

SHA1
607e77e926db47e5f1bd3962b127583ffda421e6

SHA256
83d1639d67658efd70d8a28f95782ee7731ba8a3fb0567a6b8a43c22ef036935

SHA512
42af399b4e5a79b3e0ffc2d801e8e87a2f64b152ffb5800c54fa351ad0f3c99ec99cd6285dd48e195351faaf9cf01d83da33c6b1f270552efa8fa5b3e942c27e

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
385KB

MD5
56db39b04a1ab521fdca3cc9f1908321

SHA1
775738bceac73e04ca594671702a9c32d6705a33

SHA256
0e1357f68890dab8917369035774071e8917363c5931b14ec7afa7a74252374d

SHA512
6e5029d8708ea21a0bf3abc6e577af9a055e112a499a0295d1cff83a3875974e5d93c670ca40c9c98c51a4a2779e686d790658df3cb7849f598fd137acf0c407

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
385KB

MD5
289b64c53a573db40a1bdcf26c9cfceb

SHA1
4d5b9853bc0466bdabb0255210d109cc43692ae5

SHA256
e9bbf93ff4c8fddd3c4e79f72a89a20974864fdd24af3ccab731d0f0f4b8110b

SHA512
601b7ffc493d2a87bedcd44617e79fb52675e44b07e9a4e5d9df58d5e529a225882d7ece1e9a5cfef66b4d96e1eceeee97041a83e1acc2ac4b0c395df2448e20

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
385KB

MD5
4c88ff6e2320976f01259a5c47873cdd

SHA1
a84e554092c3dac676ddcf8e2e3d8cebb1dd6b3f

SHA256
a56e5070cc52ff3f7f8226daf09709e632483967f77af756f894d1dbbb5c7f95

SHA512
c3737c837579723b9a1eca56132b4651653c2e360b7e63067be5d7b8b09b93cbcce6c3b8d18ef33efbf4de34aefc29ac8b7fb050048d8edd8371dded376554f4

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
385KB

MD5
c8c6048f80b7832a3efe6a6ee2a1f023

SHA1
d9fa8249e3b8fec1ecbc1e7b65c10ff9453299bb

SHA256
c6f084c8106ca2f8666d3ba0f020e7fb6fa5c152255534b5575e4ebd5832e988

SHA512
5808b8f878b0d217d7a0aabcb9abb054e9f25a828f8a1c2ff5b7922744924e3e1d0440d231ada0f0d67e6035a8e7a791338c33e7b7a8252dc17e784af0b51296

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
385KB

MD5
b0ad52a8c1273765a144fe7643aee742

SHA1
fd04b57e67223290e69a7492040168a48a65f9fc

SHA256
f03eff6851a1bbbe0ae0b5946641eb0bcb34855668410346354f3571be0acc96

SHA512
c714d24124fd9333b46f8ffb192951939d360ef9d4a3246180cd97c088ad4e2f56887d8f817d95c3586ff04c4412e351c38d80c6cf818b3188c09bac17d7115d

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
385KB

MD5
e5a43edd23243cebaed80ba46800b558

SHA1
9527f6dedd83e3a21239bef9257ec4eae6564d55

SHA256
9d536ec33f8a42199d3f4bf9782b3910717cf5f9c82bd88e2f443901458e86d7

SHA512
b4843eb0e882e9b5a839452d0f4c6c0f993b81995142a2a4ff091038c48f52584e77d5dd69b20082e17a94a44639fd2a5b32a3ac02bc24673c0360dbf21e50b9

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
385KB

MD5
dd6866d34cd439865770b611318bf136

SHA1
8ad748a3b2c6294e99da75b7f21a651e7b9f3234

SHA256
91bc68769455705582f21fa430df01164e8f61c59014114bbe50f83022b8a17b

SHA512
8de6280cb61594607bfdcad09400e2381532c0d784e666b836147503b94a23575334205e14c302e8b299ba2b2a5192cc20152de33eb8e30187c7f0978a7b6830

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
385KB

MD5
781f48db1de5db19c91bf8416c56b3ca

SHA1
18bc2b6aaa2f58c5adf36249e03bfdff6a4dbb02

SHA256
ec681123466747af0323f4a4190492c5b68299795acb5d10dbc8c4375a71ca5a

SHA512
1abd7b26a18bdc114ca021f516b2db111089b69807ff8bc3d838ee20ab9cf59a5b135214df92b861adeecf04e8b82b0460d70b2bd3a1a35426e129f5df4d1b84

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
385KB

MD5
57d8bedff3c54c7485781e8a130044a4

SHA1
4878370c93bdcfe41ee653e2531b3a81fcb37bad

SHA256
f492461f48c7ea205af1b01595bd940495b75c5a796b4a88a004516cee7a73d5

SHA512
b0b7dfc5d0ec4c58d56bed07604aadeced80b411fe861af8f2835ea0b464100822efa0293ed7c91907153d170f94bf62893dbc4c8feec76a5a507ed1e0f19ead

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
385KB

MD5
412b6f9905fde5d324573c1f66d8333c

SHA1
550c7a9d12f6018ffdc7aa6916161703c94c977f

SHA256
edf3cd9eb43b681001f42615775a2e9223329144a69a502d586e7b62c3d91482

SHA512
46713abd3afd598a9beabd54ffc996f6a6d5974b055112dbbc5b07e7f38b9543e879277a799ea9cab940609a8acbe0edd81a7cc6a41e0ffbe2eb88beb5636f48

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
385KB

MD5
65a0d7dfe9485340b6cb04c970a612bc

SHA1
d577dbc3b82fb4be34ee986ff4826ceba42d284a

SHA256
b437f1823d36e065cfe5d0e605e527ff9683bb301c3bfbd4cfc0d629e7cd4e1d

SHA512
466095534eae43b05886a35cc3e8265fab0a2e5948a2b0b0b8b0eecfa28c2a5bd2709f1bc2a935d264ecaabb17ba054a6e115604f66e7c4b25c27ce937df6d53

Download Submit
C:\Windows\SysWOW64\Foabofnn.exe

Filesize
385KB

MD5
78ee7fcfade517dc58a960479617747d

SHA1
7e0d6244980107c46915d56a57d7f4357fe05198

SHA256
c4cf5986d61eeea0a8f3b909a4785b43e93641eb40043398b285b8a11a00a6e9

SHA512
13d909a718e7e19c1ad26720a760d18db6a48cec1af170ce0a4bb174dba2b8421ebf4afe514aee5a84f5815f2bc7914d745f3633c3f647fede3837fab8602895

Download Submit
C:\Windows\SysWOW64\Ghklce32.exe

Filesize
385KB

MD5
da64a952a66fc0990f16d340fa85784d

SHA1
c328db752b0268b66416e5f1c82f5e797ec458be

SHA256
99705fbb8749fabf6c264c54cb9b4daa7c941be99124d67f4be02ef611437b72

SHA512
1a1f7543ebe3e196e0ce35abba7e94261145ce4a476edd2f453a651a318b32cd4f79b53c5cd93a015ee607a006e6159d6e033305e70e21eb55c2a4a5bb1bbe31

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
385KB

MD5
0666f93ccc9193a8c773484258fc2963

SHA1
0b76a55239794c794460cfe75746c39a22e19f06

SHA256
5c9d456aa227707757f2d52bd7b0e2b7c9be118c740f76d606191eae39377c38

SHA512
e7e0bd13689173c6a9373301fa035fa33d54601447f6531f7740fd4110aaa5a46b3f33c03c5164c5218073559930a374ee047ca056d31365948a13e0dc444a85

Download Submit
C:\Windows\SysWOW64\Lbchba32.exe

Filesize
385KB

MD5
b1a98f024c148f84f3148d168e419860

SHA1
7db594f6ce2975fb1bed2ab44af8a4dc302645f2

SHA256
a3c375091f49d39f019ec57948688e5b3fc3eba280c9c6fb66afae61f541a06b

SHA512
6579f5cd79fc425a4bb671bbaefd6852784a1d62d71c3c99fe3a1d3d84d957f9c4cd90fb5668a88025b2a9a7ceea1836b1532ee54d7c91b4d0b4a6afbac1c6ab

Download Submit
C:\Windows\SysWOW64\Lbinam32.exe

Filesize
385KB

MD5
fa4a7a014a63333b7cd2c1d560c6fc09

SHA1
d6cd1434f6862d773ef289ce9bfbcb4056d9951d

SHA256
8a7d307d9f0cd194f699d72ec84a47d48eb3bf76d4cd7365a742a6cef5367a08

SHA512
7c5eec1b298f7719cc872a376bd911744368fe85fdc7f6c9dea363a7302a3a8c5b263660d3356b81362d883a69bdd80580d2fa981ac583d86c0aafb6c877c533

Download Submit
C:\Windows\SysWOW64\Lpneegel.exe

Filesize
385KB

MD5
c60374a81abfb75e1a8175ef478759fc

SHA1
cce740a7d2f8a826831eeefab2709fa3a405f16d

SHA256
87f98a1944e0cc9048ce9c01db9ab90147c8c43f0b1a831f6711c3886e84de60

SHA512
41046c1a296cd9af363bb27a9b0845a0a58b96b9ca236534a6ef980dd06d2374f4eecea6cb5c9ac32cb41e2c45083325fdb85670c6217eca8d308e715bd70191

Download Submit
C:\Windows\SysWOW64\Mfjcnold.exe

Filesize
385KB

MD5
5f70babeadb22a470e0dadfded09b288

SHA1
e81e2452f407a9426d5014c0b21c9d6ce4ea7e4e

SHA256
92a82abe8279b1a4b0839d3db19f1d285d913fd4b11ab551c4893d24a838b7ee

SHA512
6e0b8a531e49bf308fb39b11e085048aed48b8356631eab41613f89125590494d1a4c715dff69985a3bfbc7be4a4078ec98a4935def77ce52a29ce10fe21c630

Download Submit
C:\Windows\SysWOW64\Noeahkfc.exe

Filesize
385KB

MD5
9a2c303aa4913aced180827a84e2c140

SHA1
98722b12a293f4ec0b4caf2d67da258ecabbcdc9

SHA256
a171994cd66ff0082aba48f4f045acc861d19242dc026c15a98d957ca0f2ad4b

SHA512
e23ed48b3c3efc76856e48cce92e7dfb18309838e3e80e7541a913acb70992e1d97f681e83ac39f1f2a76bf2ea90c1b904a1a736ac30b0cb752515564bf603c9

Download Submit
C:\Windows\SysWOW64\Ooagno32.exe

Filesize
64KB

MD5
a3cbaea140bf16b1055dc7e109cdae64

SHA1
cbffd3ad3fd93c0e481a7ed371f2a27b211098d3

SHA256
14ed0757ae39e0834736dbd565b8624ae40dda3823ddda9de1914d7ba6d42249

SHA512
89e8179fffde395df295ac7b75c2453399233ea8c105e25b58219af141cffb978d3b69bd276bbe0de4dbb2a05c3952827cac0fea8a6522694b32b3483fccf74b

Download Submit
C:\Windows\SysWOW64\Oocmii32.exe

Filesize
385KB

MD5
ea07d8bcf7ceb2b7fc1fb41695af1830

SHA1
aa2948dccddf02e900c27bda5ab2e8d0381d7f9c

SHA256
c4f4c028596d7760390a2ec0e57a12de6f2e09b0470a9843d157f4dee8592ba7

SHA512
f19d8c79bdc2f361d764338936fb45d46fdb984bcf6ef63d042e89ae477f0d0f63a184e230a261dc1c5729c21d56c252abcde8c2c6ec801c7ada3e3db0546ee0

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
385KB

MD5
96ca8f676869d7e7bd6326b2bdf99098

SHA1
38b045f576f0566f642219989cd110f30349a91f

SHA256
f8342acbf70808665aea5e48fbd221f293dd9ef201451cbf1a6467ca57752f55

SHA512
189d58363c521f0e22520db02135942689e5d379e70fa6a5fa712ecf1fc17e14da5e697fcbcfb363e9eb13d3c3cc6b6dd563cf058b5c65789b71a20e4272de23

Download Submit
C:\Windows\SysWOW64\Qofcff32.exe

Filesize
385KB

MD5
96c4957bef0384dd6f81fd6788c08542

SHA1
207d164af708788ab2fe604a96925d15fee150d2

SHA256
1097c3e5dae70160eedc63479fe4ac20c54c86f5d16328ef687d59f7fa1f05e5

SHA512
3e7a573ed94789fa07e3a3a944ac82d3a241fbccfc962505c1c0860b6a1ea1a30526ed48f3b26a622b8d9c40aa0ce813283d77141a3861acaaec9242878eaaf1

Download Submit
memory/116-431-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/320-455-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/596-597-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/632-554-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/856-479-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/972-432-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1012-389-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1056-422-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1196-435-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1208-514-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1364-605-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1396-533-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1452-421-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1596-461-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1612-393-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1664-429-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1772-373-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1788-491-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1920-562-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1976-424-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2056-497-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2060-508-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2072-434-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2420-392-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-426-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2532-436-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2592-437-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2948-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3224-425-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3392-467-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3468-388-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3540-397-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3560-525-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3580-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3608-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3672-438-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3724-417-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3848-440-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3872-391-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4008-614-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4028-439-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4092-427-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4116-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4172-420-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4184-423-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4252-430-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4264-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4264-3-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4264-454-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4372-528-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4432-33-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4456-442-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4476-441-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4532-419-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4540-473-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4592-485-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4608-416-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4772-415-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4876-418-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4880-428-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4912-433-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5028-366-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5060-448-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5104-371-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads