bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571

Resubmissions

16/04/2024, 01:46

240416-b7cx4sgb8x 10

16/04/2024, 01:40

240416-b3h9bsga7v 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
Size

80KB
MD5

52e59a3f50af9bf76936e7e7f682afaf
SHA1

8d9e6bd2afb90bdc5a7a5f0c73fc6222cd4ee99b
SHA256

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571
SHA512

726409abf756e37d4ef9eafae7a4e828d7d120584fd23773be81e51300fe2a46b0db1f4d85550afe02e121bfa469cdbe0b4780b8dee54e1c39d80bf63eca114c
SSDEEP

1536:nMXLXQ2VEmF/QncOw1CCbhgOLzDfWqdMVrlEFtyb7IYOOqw4Tv:Is25QcOwcC6+zTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igcoqocb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eipinkib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djcoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmkhgho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebdlangb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijdjfdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfodbqfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haafcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjlmclqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkahilkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfgdkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nheble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdlangb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaompd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmbmkpie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhnkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpmjejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goglcahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnphmkji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojlaeei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncofplba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjehmfch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idkbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlklkgei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijlof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooejohhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijegcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olbdhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdfmlhna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edopabqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlieda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bombmcec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlqomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fonnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollnhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooejohhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpqfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpbflg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdncmghi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjhoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkjhoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifleoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbmdn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3928	Aepefb32.exe
3592	Bcebhoii.exe
4264	Bfdodjhm.exe
1144	Beeoaapl.exe
3400	Bgcknmop.exe
720	Bnmcjg32.exe
1628	Bnpppgdj.exe
2636	Banllbdn.exe
864	Bnbmefbg.exe
3572	Bapiabak.exe
3468	Cfmajipb.exe
4844	Cfpnph32.exe
3412	Cnffqf32.exe
2236	Cdcoim32.exe
1288	Cffdpghg.exe
3180	Ddjejl32.exe
1460	Dmcibama.exe
1380	Ddmaok32.exe
3972	Dhhnpjmh.exe
2716	Fddqghpd.exe
688	Fgbmccpg.exe
4820	Fnmepn32.exe
3452	Fdfmlhna.exe
4324	Fkqeib32.exe
4348	Fdijbg32.exe
1744	Fonnop32.exe
5000	Famjkl32.exe
776	Fdkggg32.exe
2132	Gdncmghi.exe
4464	Gkglja32.exe
540	Gempgj32.exe
4780	Gkjhoq32.exe
3680	Gdbmhf32.exe
4364	Gkleeplq.exe
1348	Gnkaalkd.exe
4008	Gojnko32.exe
3636	Ggeboaob.exe
2712	Hheoid32.exe
1508	Hghoeqmp.exe
368	Hbmcbime.exe
1868	Hdlpneli.exe
3224	Hfklhhcl.exe
3120	Hglipp32.exe
4948	Hocqam32.exe
4716	Hdpiid32.exe
2148	Hgoeep32.exe
2892	Hfpecg32.exe
4412	Hkmnln32.exe
412	Inkjhi32.exe
3104	Igcoqocb.exe
4860	Iokgal32.exe
1368	Ifdonfka.exe
860	Iickkbje.exe
2520	Ikaggmii.exe
4968	Idjlpc32.exe
3608	Ighhln32.exe
2640	Ifihif32.exe
1252	Igjeanmj.exe
2576	Ifleoe32.exe
1860	Ienekbld.exe
212	Jkhngl32.exe
3248	Jeqbpb32.exe
4088	Jnifigpa.exe
2184	Jecofa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blnlefae.dll	Ckmehb32.exe
File opened for modification	C:\Windows\SysWOW64\Ponfka32.exe	Okkdic32.exe
File opened for modification	C:\Windows\SysWOW64\Ifdonfka.exe	Iokgal32.exe
File created	C:\Windows\SysWOW64\Jdgccn32.dll	Efblbbqd.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Npiiffqe.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Nqgnfcmm.dll	Enmjlojd.exe
File opened for modification	C:\Windows\SysWOW64\Koajmepf.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Mjhedo32.dll	Hkmnln32.exe
File created	C:\Windows\SysWOW64\Lhkgoiqe.exe	Lfjjga32.exe
File created	C:\Windows\SysWOW64\Eipinkib.exe	Dhomfc32.exe
File created	C:\Windows\SysWOW64\Cjgpfk32.exe	Cbphdn32.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Hpfbcn32.exe	Ghojbq32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Fpnfmjbo.dll	Bgeaifia.exe
File created	C:\Windows\SysWOW64\Fjohde32.exe	Fdepgkgj.exe
File opened for modification	C:\Windows\SysWOW64\Hifcgion.exe	Hoaojp32.exe
File created	C:\Windows\SysWOW64\Gfkincfn.dll	Nemcjk32.exe
File created	C:\Windows\SysWOW64\Jifpbd32.dll	Hdlpneli.exe
File opened for modification	C:\Windows\SysWOW64\Bclang32.exe	Bifmqo32.exe
File created	C:\Windows\SysWOW64\Dfokdq32.dll	Hjchaf32.exe
File created	C:\Windows\SysWOW64\Fcgeilmb.dll	Dpgnjo32.exe
File created	C:\Windows\SysWOW64\Mdfggeba.dll	Ejoomhmi.exe
File created	C:\Windows\SysWOW64\Kiljgf32.dll	Dkokcl32.exe
File created	C:\Windows\SysWOW64\Kghfphob.dll	Ipoheakj.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Enmjlojd.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Ehighp32.dll	Idghpmnp.exe
File opened for modification	C:\Windows\SysWOW64\Pifnhpmi.exe	Papfgbmg.exe
File opened for modification	C:\Windows\SysWOW64\Fjmkoeqi.exe	Fbfcmhpg.exe
File created	C:\Windows\SysWOW64\Eofgpikj.exe	Eiloco32.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Kihnmohm.exe	Kihnmohm.exe
File created	C:\Windows\SysWOW64\Cgbiiion.dll	Dcjnoece.exe
File opened for modification	C:\Windows\SysWOW64\Ecgcfm32.exe	Eplgeokq.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Ohmkjd32.dll	Dmpfbk32.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Eklajcmc.exe	Ebdlangb.exe
File created	C:\Windows\SysWOW64\Qmfqknfm.dll	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Ondljl32.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Dobhii32.dll	Oocddono.exe
File created	C:\Windows\SysWOW64\Ppadalgj.dll	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Hoaojp32.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Mmmqhl32.exe	Mjodla32.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Enmjlojd.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Loglacfo.exe	Lhncdi32.exe
File opened for modification	C:\Windows\SysWOW64\Idkbkl32.exe	Inainbcn.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Ahamlm32.dll	Gkleeplq.exe
File created	C:\Windows\SysWOW64\Fknbil32.exe	Fhofmq32.exe
File opened for modification	C:\Windows\SysWOW64\Bopocbcq.exe	Bheffh32.exe
File created	C:\Windows\SysWOW64\Iplkpa32.exe	Iomoenej.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Fooclapd.exe	Eghkjdoa.exe
File opened for modification	C:\Windows\SysWOW64\Fdlkdhnk.exe	Fbmohmoh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7920	8184	WerFault.exe	937

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkibdpe.dll"	Pefhlaie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmbmkpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll"	Deqcbpld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajcdnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpfcdojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djjebh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcbnnpka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhncdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglfodah.dll"	Mbedga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomkkpc.dll"	Djqblj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaoeoo.dll"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkhcegh.dll"	Gojnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miaboe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ienekbld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmpfbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahglpk.dll"	Bcddcbab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpgoecp.dll"	Hkpqkcpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojbacd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alpbecod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilqdmae.dll"	Cgqqdeod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdijbplg.dll"	Hgoeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmniml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oehlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcgdbco.dll"	Ikaggmii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomifecf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll"	Hckeoeno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll"	Bclang32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlpjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hehkajig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haoimcgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ighhln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmfclm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll"	Jofalmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Ghojbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khbdikip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leenhhdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnkcp32.dll"	Fgbmccpg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4636	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	taskmgr.exe
Token: SeSystemProfilePrivilege	4636	taskmgr.exe
Token: SeCreateGlobalPrivilege	4636	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3928	1920	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	83
PID 1920 wrote to memory of 3928	1920	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	83
PID 1920 wrote to memory of 3928	1920	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	83
PID 3928 wrote to memory of 3592	3928	Aepefb32.exe	84
PID 3928 wrote to memory of 3592	3928	Aepefb32.exe	84
PID 3928 wrote to memory of 3592	3928	Aepefb32.exe	84
PID 3592 wrote to memory of 4264	3592	Bcebhoii.exe	86
PID 3592 wrote to memory of 4264	3592	Bcebhoii.exe	86
PID 3592 wrote to memory of 4264	3592	Bcebhoii.exe	86
PID 4264 wrote to memory of 1144	4264	Bfdodjhm.exe	87
PID 4264 wrote to memory of 1144	4264	Bfdodjhm.exe	87
PID 4264 wrote to memory of 1144	4264	Bfdodjhm.exe	87
PID 1144 wrote to memory of 3400	1144	Beeoaapl.exe	88
PID 1144 wrote to memory of 3400	1144	Beeoaapl.exe	88
PID 1144 wrote to memory of 3400	1144	Beeoaapl.exe	88
PID 3400 wrote to memory of 720	3400	Bgcknmop.exe	89
PID 3400 wrote to memory of 720	3400	Bgcknmop.exe	89
PID 3400 wrote to memory of 720	3400	Bgcknmop.exe	89
PID 720 wrote to memory of 1628	720	Bnmcjg32.exe	90
PID 720 wrote to memory of 1628	720	Bnmcjg32.exe	90
PID 720 wrote to memory of 1628	720	Bnmcjg32.exe	90
PID 1628 wrote to memory of 2636	1628	Bnpppgdj.exe	91
PID 1628 wrote to memory of 2636	1628	Bnpppgdj.exe	91
PID 1628 wrote to memory of 2636	1628	Bnpppgdj.exe	91
PID 2636 wrote to memory of 864	2636	Banllbdn.exe	92
PID 2636 wrote to memory of 864	2636	Banllbdn.exe	92
PID 2636 wrote to memory of 864	2636	Banllbdn.exe	92
PID 864 wrote to memory of 3572	864	Bnbmefbg.exe	94
PID 864 wrote to memory of 3572	864	Bnbmefbg.exe	94
PID 864 wrote to memory of 3572	864	Bnbmefbg.exe	94
PID 3572 wrote to memory of 3468	3572	Bapiabak.exe	95
PID 3572 wrote to memory of 3468	3572	Bapiabak.exe	95
PID 3572 wrote to memory of 3468	3572	Bapiabak.exe	95
PID 3468 wrote to memory of 4844	3468	Cfmajipb.exe	96
PID 3468 wrote to memory of 4844	3468	Cfmajipb.exe	96
PID 3468 wrote to memory of 4844	3468	Cfmajipb.exe	96
PID 4844 wrote to memory of 3412	4844	Cfpnph32.exe	97
PID 4844 wrote to memory of 3412	4844	Cfpnph32.exe	97
PID 4844 wrote to memory of 3412	4844	Cfpnph32.exe	97
PID 3412 wrote to memory of 2236	3412	Cnffqf32.exe	99
PID 3412 wrote to memory of 2236	3412	Cnffqf32.exe	99
PID 3412 wrote to memory of 2236	3412	Cnffqf32.exe	99
PID 2236 wrote to memory of 1288	2236	Cdcoim32.exe	100
PID 2236 wrote to memory of 1288	2236	Cdcoim32.exe	100
PID 2236 wrote to memory of 1288	2236	Cdcoim32.exe	100
PID 1288 wrote to memory of 3180	1288	Cffdpghg.exe	101
PID 1288 wrote to memory of 3180	1288	Cffdpghg.exe	101
PID 1288 wrote to memory of 3180	1288	Cffdpghg.exe	101
PID 3180 wrote to memory of 1460	3180	Ddjejl32.exe	102
PID 3180 wrote to memory of 1460	3180	Ddjejl32.exe	102
PID 3180 wrote to memory of 1460	3180	Ddjejl32.exe	102
PID 1460 wrote to memory of 1380	1460	Dmcibama.exe	103
PID 1460 wrote to memory of 1380	1460	Dmcibama.exe	103
PID 1460 wrote to memory of 1380	1460	Dmcibama.exe	103
PID 1380 wrote to memory of 3972	1380	Ddmaok32.exe	104
PID 1380 wrote to memory of 3972	1380	Ddmaok32.exe	104
PID 1380 wrote to memory of 3972	1380	Ddmaok32.exe	104
PID 3972 wrote to memory of 2716	3972	Dhhnpjmh.exe	105
PID 3972 wrote to memory of 2716	3972	Dhhnpjmh.exe	105
PID 3972 wrote to memory of 2716	3972	Dhhnpjmh.exe	105
PID 2716 wrote to memory of 688	2716	Fddqghpd.exe	106
PID 2716 wrote to memory of 688	2716	Fddqghpd.exe	106
PID 2716 wrote to memory of 688	2716	Fddqghpd.exe	106
PID 688 wrote to memory of 4820	688	Fgbmccpg.exe	107

C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
"C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Bcebhoii.exe
    C:\Windows\system32\Bcebhoii.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\Bfdodjhm.exe
      C:\Windows\system32\Bfdodjhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Fddqghpd.exe
        
        C:\Windows\system32\Fddqghpd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Fgbmccpg.exe
        
        C:\Windows\system32\Fgbmccpg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Fnmepn32.exe
        
        C:\Windows\system32\Fnmepn32.exe
        23⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Fkqeib32.exe
        
        C:\Windows\system32\Fkqeib32.exe
        25⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Fdijbg32.exe
        
        C:\Windows\system32\Fdijbg32.exe
        26⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Fonnop32.exe
        
        C:\Windows\system32\Fonnop32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Famjkl32.exe
        
        C:\Windows\system32\Famjkl32.exe
        28⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        29⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Gdncmghi.exe
        
        C:\Windows\system32\Gdncmghi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Gkglja32.exe
        
        C:\Windows\system32\Gkglja32.exe
        31⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Gempgj32.exe
        
        C:\Windows\system32\Gempgj32.exe
        32⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Gkjhoq32.exe
        
        C:\Windows\system32\Gkjhoq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        34⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Gkleeplq.exe
        
        C:\Windows\system32\Gkleeplq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Gnkaalkd.exe
        
        C:\Windows\system32\Gnkaalkd.exe
        36⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Gojnko32.exe
        
        C:\Windows\system32\Gojnko32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ggeboaob.exe
        
        C:\Windows\system32\Ggeboaob.exe
        38⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Hheoid32.exe
        
        C:\Windows\system32\Hheoid32.exe
        39⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Hghoeqmp.exe
        
        C:\Windows\system32\Hghoeqmp.exe
        40⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Hbmcbime.exe
        
        C:\Windows\system32\Hbmcbime.exe
        41⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Hdlpneli.exe
        
        C:\Windows\system32\Hdlpneli.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Hfklhhcl.exe
        
        C:\Windows\system32\Hfklhhcl.exe
        43⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Hglipp32.exe
        
        C:\Windows\system32\Hglipp32.exe
        44⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Hocqam32.exe
        
        C:\Windows\system32\Hocqam32.exe
        45⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Hdpiid32.exe
        
        C:\Windows\system32\Hdpiid32.exe
        46⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Hgoeep32.exe
        
        C:\Windows\system32\Hgoeep32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Hfpecg32.exe
        
        C:\Windows\system32\Hfpecg32.exe
        48⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Hkmnln32.exe
        
        C:\Windows\system32\Hkmnln32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Inkjhi32.exe
        
        C:\Windows\system32\Inkjhi32.exe
        50⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Igcoqocb.exe
        
        C:\Windows\system32\Igcoqocb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Iokgal32.exe
        
        C:\Windows\system32\Iokgal32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ifdonfka.exe
        
        C:\Windows\system32\Ifdonfka.exe
        53⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Iickkbje.exe
        
        C:\Windows\system32\Iickkbje.exe
        54⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Ikaggmii.exe
        
        C:\Windows\system32\Ikaggmii.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Idjlpc32.exe
        
        C:\Windows\system32\Idjlpc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Ighhln32.exe
        
        C:\Windows\system32\Ighhln32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ifihif32.exe
        
        C:\Windows\system32\Ifihif32.exe
        58⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Igjeanmj.exe
        
        C:\Windows\system32\Igjeanmj.exe
        59⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Ifleoe32.exe
        
        C:\Windows\system32\Ifleoe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Ienekbld.exe
        
        C:\Windows\system32\Ienekbld.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Jkhngl32.exe
        
        C:\Windows\system32\Jkhngl32.exe
        62⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        63⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Jnifigpa.exe
        
        C:\Windows\system32\Jnifigpa.exe
        64⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        65⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Jgakbm32.exe
        
        C:\Windows\system32\Jgakbm32.exe
        66⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Jnkcogno.exe
        
        C:\Windows\system32\Jnkcogno.exe
        67⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Jfbkpd32.exe
        
        C:\Windows\system32\Jfbkpd32.exe
        68⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Jiaglp32.exe
        
        C:\Windows\system32\Jiaglp32.exe
        69⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        70⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Jpkphjeb.exe
        
        C:\Windows\system32\Jpkphjeb.exe
        71⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Jehhaaci.exe
        
        C:\Windows\system32\Jehhaaci.exe
        72⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Jicdap32.exe
        
        C:\Windows\system32\Jicdap32.exe
        73⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Jpmlnjco.exe
        
        C:\Windows\system32\Jpmlnjco.exe
        74⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Jfgdkd32.exe
        
        C:\Windows\system32\Jfgdkd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3188
        
        C:\Windows\SysWOW64\Jieagojp.exe
        
        C:\Windows\system32\Jieagojp.exe
        76⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        77⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\Kihnmohm.exe
        
        C:\Windows\system32\Kihnmohm.exe
        78⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Kihnmohm.exe
        
        C:\Windows\system32\Kihnmohm.exe
        79⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Klfjijgq.exe
        
        C:\Windows\system32\Klfjijgq.exe
        80⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Keonap32.exe
        
        C:\Windows\system32\Keonap32.exe
        81⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Kijjbofj.exe
        
        C:\Windows\system32\Kijjbofj.exe
        82⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Kngcje32.exe
        
        C:\Windows\system32\Kngcje32.exe
        83⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kbbokdlk.exe
        
        C:\Windows\system32\Kbbokdlk.exe
        84⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Kimghn32.exe
        
        C:\Windows\system32\Kimghn32.exe
        85⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Kpgodhkd.exe
        
        C:\Windows\system32\Kpgodhkd.exe
        86⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Kfqgab32.exe
        
        C:\Windows\system32\Kfqgab32.exe
        87⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Khbdikip.exe
        
        C:\Windows\system32\Khbdikip.exe
        88⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Kbghfc32.exe
        
        C:\Windows\system32\Kbghfc32.exe
        89⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kiaqcnpb.exe
        
        C:\Windows\system32\Kiaqcnpb.exe
        90⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        91⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lblaabdp.exe
        
        C:\Windows\system32\Lblaabdp.exe
        92⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Lhijijbg.exe
        
        C:\Windows\system32\Lhijijbg.exe
        93⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lfjjga32.exe
        
        C:\Windows\system32\Lfjjga32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Lhkgoiqe.exe
        
        C:\Windows\system32\Lhkgoiqe.exe
        95⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Lbqklb32.exe
        
        C:\Windows\system32\Lbqklb32.exe
        96⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Likcilhh.exe
        
        C:\Windows\system32\Likcilhh.exe
        97⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Lhncdi32.exe
        
        C:\Windows\system32\Lhncdi32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Loglacfo.exe
        
        C:\Windows\system32\Loglacfo.exe
        99⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lfodbqfa.exe
        
        C:\Windows\system32\Lfodbqfa.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Mlklkgei.exe
        
        C:\Windows\system32\Mlklkgei.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mbedga32.exe
        
        C:\Windows\system32\Mbedga32.exe
        102⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Medqcmki.exe
        
        C:\Windows\system32\Medqcmki.exe
        103⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mfcmmp32.exe
        
        C:\Windows\system32\Mfcmmp32.exe
        104⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Mlpeff32.exe
        
        C:\Windows\system32\Mlpeff32.exe
        105⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mbjnbqhp.exe
        
        C:\Windows\system32\Mbjnbqhp.exe
        106⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        107⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Mleoafmn.exe
        
        C:\Windows\system32\Mleoafmn.exe
        108⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Nlglfe32.exe
        
        C:\Windows\system32\Nlglfe32.exe
        110⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        111⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Npjnhc32.exe
        
        C:\Windows\system32\Npjnhc32.exe
        112⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Nheble32.exe
        
        C:\Windows\system32\Nheble32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Nlqomd32.exe
        
        C:\Windows\system32\Nlqomd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Oocddono.exe
        
        C:\Windows\system32\Oocddono.exe
        115⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ogmijllo.exe
        
        C:\Windows\system32\Ogmijllo.exe
        116⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Ohnebd32.exe
        
        C:\Windows\system32\Ohnebd32.exe
        117⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ollnhb32.exe
        
        C:\Windows\system32\Ollnhb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        119⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Pckppl32.exe
        
        C:\Windows\system32\Pckppl32.exe
        120⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Pjehmfch.exe
        
        C:\Windows\system32\Pjehmfch.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        122⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Pgihfj32.exe
        
        C:\Windows\system32\Pgihfj32.exe
        123⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        124⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Pjjahe32.exe
        
        C:\Windows\system32\Pjjahe32.exe
        125⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Plhnda32.exe
        
        C:\Windows\system32\Plhnda32.exe
        126⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        127⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Acgolj32.exe
        
        C:\Windows\system32\Acgolj32.exe
        128⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        129⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ajcdnd32.exe
        
        C:\Windows\system32\Ajcdnd32.exe
        130⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Aopmfk32.exe
        
        C:\Windows\system32\Aopmfk32.exe
        131⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Afjeceml.exe
        
        C:\Windows\system32\Afjeceml.exe
        132⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        133⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        134⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Aqaffn32.exe
        
        C:\Windows\system32\Aqaffn32.exe
        135⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        136⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Ajjjocap.exe
        
        C:\Windows\system32\Ajjjocap.exe
        137⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        138⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Biogppeg.exe
        
        C:\Windows\system32\Biogppeg.exe
        139⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Bjodjb32.exe
        
        C:\Windows\system32\Bjodjb32.exe
        140⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Boklbi32.exe
        
        C:\Windows\system32\Boklbi32.exe
        141⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        142⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Bifmqo32.exe
        
        C:\Windows\system32\Bifmqo32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Bclang32.exe
        
        C:\Windows\system32\Bclang32.exe
        144⤵
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Bihjfnmm.exe
        
        C:\Windows\system32\Bihjfnmm.exe
        145⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        146⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Cmfclm32.exe
        
        C:\Windows\system32\Cmfclm32.exe
        147⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Cmipblaq.exe
        
        C:\Windows\system32\Cmipblaq.exe
        148⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Cgndoeag.exe
        
        C:\Windows\system32\Cgndoeag.exe
        149⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        150⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cmniml32.exe
        
        C:\Windows\system32\Cmniml32.exe
        151⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Dmpfbk32.exe
        
        C:\Windows\system32\Dmpfbk32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Dmpfbk32.exe
        
        C:\Windows\system32\Dmpfbk32.exe
        153⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dakacjdb.exe
        
        C:\Windows\system32\Dakacjdb.exe
        154⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Dcjnoece.exe
        
        C:\Windows\system32\Dcjnoece.exe
        155⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        156⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Dapkni32.exe
        
        C:\Windows\system32\Dapkni32.exe
        157⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        158⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        159⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        160⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Dhomfc32.exe
        
        C:\Windows\system32\Dhomfc32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Eipinkib.exe
        
        C:\Windows\system32\Eipinkib.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        163⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ehailbaa.exe
        
        C:\Windows\system32\Ehailbaa.exe
        164⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Ejbbmnnb.exe
        
        C:\Windows\system32\Ejbbmnnb.exe
        165⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        166⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Edopabqn.exe
        
        C:\Windows\system32\Edopabqn.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Fmgejhgn.exe
        
        C:\Windows\system32\Fmgejhgn.exe
        168⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Fdamgb32.exe
        
        C:\Windows\system32\Fdamgb32.exe
        169⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Fkkeclfh.exe
        
        C:\Windows\system32\Fkkeclfh.exe
        170⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        171⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Fhofmq32.exe
        
        C:\Windows\system32\Fhofmq32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Fknbil32.exe
        
        C:\Windows\system32\Fknbil32.exe
        173⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        174⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        175⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Fkpool32.exe
        
        C:\Windows\system32\Fkpool32.exe
        176⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Fpmggb32.exe
        
        C:\Windows\system32\Fpmggb32.exe
        177⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Fkbkdkpp.exe
        
        C:\Windows\system32\Fkbkdkpp.exe
        178⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        179⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Gacjadad.exe
        
        C:\Windows\system32\Gacjadad.exe
        180⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ginnfgop.exe
        
        C:\Windows\system32\Ginnfgop.exe
        181⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Gphgbafl.exe
        
        C:\Windows\system32\Gphgbafl.exe
        182⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        183⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Hkpheidp.exe
        
        C:\Windows\system32\Hkpheidp.exe
        184⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Hdilnojp.exe
        
        C:\Windows\system32\Hdilnojp.exe
        186⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        187⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Hnaqgd32.exe
        
        C:\Windows\system32\Hnaqgd32.exe
        188⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Hjhalefe.exe
        
        C:\Windows\system32\Hjhalefe.exe
        189⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        190⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        191⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Haafcb32.exe
        
        C:\Windows\system32\Haafcb32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Hhknpmma.exe
        
        C:\Windows\system32\Hhknpmma.exe
        193⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Hjlkge32.exe
        
        C:\Windows\system32\Hjlkge32.exe
        194⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Hpfcdojl.exe
        
        C:\Windows\system32\Hpfcdojl.exe
        195⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        196⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        197⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Inmpcc32.exe
        
        C:\Windows\system32\Inmpcc32.exe
        198⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        199⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Ijcahd32.exe
        
        C:\Windows\system32\Ijcahd32.exe
        200⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Iggaah32.exe
        
        C:\Windows\system32\Iggaah32.exe
        201⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Inainbcn.exe
        
        C:\Windows\system32\Inainbcn.exe
        202⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Inainbcn.exe
        
        C:\Windows\system32\Inainbcn.exe
        203⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Ibobdqid.exe
        
        C:\Windows\system32\Ibobdqid.exe
        205⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Jdnoplhh.exe
        
        C:\Windows\system32\Jdnoplhh.exe
        206⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Jnfcia32.exe
        
        C:\Windows\system32\Jnfcia32.exe
        207⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Jhlgfj32.exe
        
        C:\Windows\system32\Jhlgfj32.exe
        208⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        209⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Jhndljll.exe
        
        C:\Windows\system32\Jhndljll.exe
        210⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        211⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Kqnbkl32.exe
        
        C:\Windows\system32\Kqnbkl32.exe
        212⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Kghjhemo.exe
        
        C:\Windows\system32\Kghjhemo.exe
        213⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        214⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Kjhcjq32.exe
        
        C:\Windows\system32\Kjhcjq32.exe
        215⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        216⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        217⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Kjpijpdg.exe
        
        C:\Windows\system32\Kjpijpdg.exe
        218⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        219⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Leenhhdn.exe
        
        C:\Windows\system32\Leenhhdn.exe
        220⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Lgcjdd32.exe
        
        C:\Windows\system32\Lgcjdd32.exe
        221⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        222⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        223⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Lbkkgl32.exe
        
        C:\Windows\system32\Lbkkgl32.exe
        224⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Laqhhi32.exe
        
        C:\Windows\system32\Laqhhi32.exe
        225⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Llflea32.exe
        
        C:\Windows\system32\Llflea32.exe
        226⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        227⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        228⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        230⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        231⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        232⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        233⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        234⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Miaboe32.exe
        
        C:\Windows\system32\Miaboe32.exe
        235⤵
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        236⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        237⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Mnphmkji.exe
        
        C:\Windows\system32\Mnphmkji.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7892
        
        C:\Windows\SysWOW64\Mifljdjo.exe
        
        C:\Windows\system32\Mifljdjo.exe
        239⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Nihipdhl.exe
        
        C:\Windows\system32\Nihipdhl.exe
        240⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Nbqmiinl.exe
        
        C:\Windows\system32\Nbqmiinl.exe
        241⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        242⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        243⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nkqkhk32.exe
        
        C:\Windows\system32\Nkqkhk32.exe
        244⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        245⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Niakfbpa.exe
        
        C:\Windows\system32\Niakfbpa.exe
        246⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        247⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Oondnini.exe
        
        C:\Windows\system32\Oondnini.exe
        248⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Oehlkc32.exe
        
        C:\Windows\system32\Oehlkc32.exe
        249⤵
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7504
        
        C:\Windows\SysWOW64\Oaompd32.exe
        
        C:\Windows\system32\Oaompd32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        252⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        253⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7832
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        256⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Pcepkfld.exe
        
        C:\Windows\system32\Pcepkfld.exe
        257⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Phbhcmjl.exe
        
        C:\Windows\system32\Phbhcmjl.exe
        258⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        259⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Pefhlaie.exe
        
        C:\Windows\system32\Pefhlaie.exe
        260⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Phedhmhi.exe
        
        C:\Windows\system32\Phedhmhi.exe
        261⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        262⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        263⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Pkenjh32.exe
        
        C:\Windows\system32\Pkenjh32.exe
        264⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        265⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Papfgbmg.exe
        
        C:\Windows\system32\Papfgbmg.exe
        266⤵
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        267⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        268⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Qhlkilba.exe
        
        C:\Windows\system32\Qhlkilba.exe
        269⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        270⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Qadoba32.exe
        
        C:\Windows\system32\Qadoba32.exe
        271⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Qepkbpak.exe
        
        C:\Windows\system32\Qepkbpak.exe
        272⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Qkmdkgob.exe
        
        C:\Windows\system32\Qkmdkgob.exe
        273⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        274⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        275⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Aomifecf.exe
        
        C:\Windows\system32\Aomifecf.exe
        277⤵
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Ajbmdn32.exe
        
        C:\Windows\system32\Ajbmdn32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8092
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        279⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Aanbhp32.exe
        
        C:\Windows\system32\Aanbhp32.exe
        280⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        281⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Abponp32.exe
        
        C:\Windows\system32\Abponp32.exe
        282⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        283⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Akhcfe32.exe
        
        C:\Windows\system32\Akhcfe32.exe
        284⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        285⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Bhldpj32.exe
        
        C:\Windows\system32\Bhldpj32.exe
        286⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Bkkple32.exe
        
        C:\Windows\system32\Bkkple32.exe
        287⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Bfpdin32.exe
        
        C:\Windows\system32\Bfpdin32.exe
        288⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Bjlpjm32.exe
        
        C:\Windows\system32\Bjlpjm32.exe
        289⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Bohibc32.exe
        
        C:\Windows\system32\Bohibc32.exe
        290⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        291⤵
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Bjnmpl32.exe
        
        C:\Windows\system32\Bjnmpl32.exe
        292⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        293⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Bhcjqinf.exe
        
        C:\Windows\system32\Bhcjqinf.exe
        294⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8720
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        296⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Bheffh32.exe
        
        C:\Windows\system32\Bheffh32.exe
        297⤵
        Drops file in System32 directory
        
        PID:8800
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        298⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        299⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        300⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Cbphdn32.exe
        
        C:\Windows\system32\Cbphdn32.exe
        301⤵
        Drops file in System32 directory
        
        PID:8968
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        302⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        303⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        304⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        305⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Cbbdjm32.exe
        
        C:\Windows\system32\Cbbdjm32.exe
        306⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        307⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        308⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Cbeapmll.exe
        
        C:\Windows\system32\Cbeapmll.exe
        309⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        310⤵
        Drops file in System32 directory
        
        PID:8348
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        311⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        312⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Djqblj32.exe
        
        C:\Windows\system32\Djqblj32.exe
        313⤵
        Modifies registry class
        
        PID:8580
        
        C:\Windows\SysWOW64\Diccgfpd.exe
        
        C:\Windows\system32\Diccgfpd.exe
        314⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Dkbocbog.exe
        
        C:\Windows\system32\Dkbocbog.exe
        315⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        316⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        317⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8916
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        319⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        320⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Dmdhcddh.exe
        
        C:\Windows\system32\Dmdhcddh.exe
        321⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Dcnqpo32.exe
        
        C:\Windows\system32\Dcnqpo32.exe
        322⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        323⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Dlieda32.exe
        
        C:\Windows\system32\Dlieda32.exe
        324⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8360
        
        C:\Windows\SysWOW64\Dfoiaj32.exe
        
        C:\Windows\system32\Dfoiaj32.exe
        325⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Djjebh32.exe
        
        C:\Windows\system32\Djjebh32.exe
        326⤵
        Modifies registry class
        
        PID:8564
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        327⤵
        Drops file in System32 directory
        
        PID:8656
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        328⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        329⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        330⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        331⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        332⤵
        Drops file in System32 directory
        
        PID:9204
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        333⤵
        Drops file in System32 directory
        
        PID:8304
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        334⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        335⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        336⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        337⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Ejchhgid.exe
        
        C:\Windows\system32\Ejchhgid.exe
        338⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        339⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Ejfeng32.exe
        
        C:\Windows\system32\Ejfeng32.exe
        340⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        341⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Fcniglmb.exe
        
        C:\Windows\system32\Fcniglmb.exe
        342⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        343⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        344⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        345⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        346⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        347⤵
        Drops file in System32 directory
        
        PID:9192
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        348⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        349⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Fdepgkgj.exe
        
        C:\Windows\system32\Fdepgkgj.exe
        350⤵
        Drops file in System32 directory
        
        PID:9304
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        351⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Flqdlnde.exe
        
        C:\Windows\system32\Flqdlnde.exe
        352⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        353⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Fbjmhh32.exe
        
        C:\Windows\system32\Fbjmhh32.exe
        354⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9524
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        356⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        357⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9612
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        358⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        359⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Glgjlm32.exe
        
        C:\Windows\system32\Glgjlm32.exe
        360⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        361⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Gfmojenc.exe
        
        C:\Windows\system32\Gfmojenc.exe
        362⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Gmggfp32.exe
        
        C:\Windows\system32\Gmggfp32.exe
        363⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        364⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        365⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        366⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        367⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        368⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        369⤵
        Modifies registry class
        
        PID:10120
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        370⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        371⤵
        Modifies registry class
        
        PID:10216
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        372⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        373⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        374⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        375⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        376⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        377⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        378⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        379⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        380⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        381⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        382⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        383⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        384⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        385⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        386⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        387⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        388⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9376
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9568
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        390⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Ikdcmpnl.exe
        
        C:\Windows\system32\Ikdcmpnl.exe
        391⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        392⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        393⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        394⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Jnelok32.exe
        
        C:\Windows\system32\Jnelok32.exe
        395⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        396⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9636
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        397⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        398⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        399⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Knooej32.exe
        
        C:\Windows\system32\Knooej32.exe
        400⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        401⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        402⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        403⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        404⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        405⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        406⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        407⤵
        Modifies registry class
        
        PID:10260
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        408⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        409⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        410⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        411⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        412⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        413⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        414⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        415⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        416⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        417⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10680
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        418⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        419⤵
        Modifies registry class
        
        PID:10760
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        420⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        421⤵
        Drops file in System32 directory
        
        PID:10848
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        422⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        423⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        424⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        425⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        426⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11116
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        427⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        428⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        429⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        430⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        431⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        432⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        433⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        434⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        435⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        436⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        437⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10896
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        438⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        439⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        440⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        441⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        442⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        443⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        444⤵
        Modifies registry class
        
        PID:10540
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        445⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        446⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        447⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        448⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        449⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        450⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        451⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        452⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        453⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        454⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        455⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        456⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        457⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        458⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        459⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        460⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        461⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11156
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        462⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        463⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        464⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        465⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        466⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        467⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        468⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        469⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        470⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        471⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        472⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        473⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        474⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        475⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1680
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        476⤵
        
        PID:516
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        477⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        478⤵
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        479⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11268
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        480⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        481⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        482⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        483⤵
        Modifies registry class
        
        PID:11448
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        484⤵
        Drops file in System32 directory
        
        PID:11492
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        485⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        486⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        487⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        488⤵
        Modifies registry class
        
        PID:11664
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        489⤵
        Drops file in System32 directory
        
        PID:11712
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        490⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        491⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        492⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        493⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        494⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        495⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        496⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        497⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        498⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12100
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        499⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12144
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        500⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        501⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        502⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        503⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        504⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        505⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        506⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        507⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        508⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        509⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        510⤵
        Modifies registry class
        
        PID:11692
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        511⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        512⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        513⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        514⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        515⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12056
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        516⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        517⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        518⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        519⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        520⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        521⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        522⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        523⤵
        Modifies registry class
        
        PID:11436
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        524⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        525⤵
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        526⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        527⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        528⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        529⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        530⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        531⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        532⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3084
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        533⤵
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        534⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        535⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        536⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        537⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        538⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        539⤵
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        540⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        541⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        542⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        543⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        544⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        545⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        546⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        547⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        548⤵
        Modifies registry class
        
        PID:12132
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        549⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        550⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        551⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        552⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        553⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        554⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        555⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        556⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        557⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        558⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        559⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        560⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        561⤵
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        562⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        563⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        564⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        565⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        566⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        567⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        568⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        569⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        570⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        571⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        572⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        573⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        574⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        575⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        576⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        577⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        578⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        579⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        580⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        581⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        582⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        583⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        584⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        585⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        586⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        587⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        588⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        589⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        590⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        591⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        592⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        593⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        594⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        595⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        596⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        597⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        598⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        599⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        600⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        601⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        602⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        603⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        604⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        605⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        606⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        607⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        608⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        609⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        610⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        611⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        612⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        613⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        614⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        615⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        616⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        617⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        618⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        619⤵
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        620⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        621⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        622⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        623⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        624⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        625⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        626⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        627⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        628⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        629⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        630⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        631⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        632⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        633⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        634⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        635⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        636⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12296
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        637⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        638⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        639⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        640⤵
        
        PID:12448
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        641⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        642⤵
        Modifies registry class
        
        PID:12516
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        643⤵
        
        PID:12576
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        644⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        645⤵
        
        PID:12648
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        646⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        647⤵
        Modifies registry class
        
        PID:12744
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        648⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        649⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        650⤵
        Drops file in System32 directory
        
        PID:12872
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        651⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12912
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        652⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        653⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        654⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        655⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        656⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        657⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:13156
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        658⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        659⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        660⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        661⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        662⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        663⤵
        Modifies registry class
        
        PID:12440
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        664⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        665⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12568
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        666⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        667⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        668⤵
        
        PID:12688
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        669⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        670⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12828
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        671⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        672⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        673⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        674⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        675⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        676⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        677⤵
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        678⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        679⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        680⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        681⤵
        
        PID:12348
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        682⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12428
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        683⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        684⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        685⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        686⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        687⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        688⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12856
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        689⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        690⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        691⤵
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        692⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        693⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        694⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        695⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        696⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        697⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        698⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        699⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12456
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        700⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        701⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        702⤵
        Drops file in System32 directory
        
        PID:12792
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        703⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        704⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        705⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        706⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        707⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13008
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        708⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        709⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        710⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        711⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        712⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        713⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        714⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        715⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        716⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        717⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12600
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        718⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        719⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        720⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        721⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        722⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        723⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        724⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        725⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        726⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        727⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        728⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        729⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        730⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        731⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        732⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        733⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        734⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        735⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        736⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        737⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        738⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        739⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        740⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        741⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        742⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        743⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        744⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        745⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        746⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        747⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        748⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        749⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        750⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        751⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        752⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        753⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        754⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        755⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        756⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        757⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        758⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        759⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        760⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        761⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        762⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        763⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        764⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        765⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        766⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        767⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        768⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        769⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        770⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        771⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        772⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        773⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        774⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        775⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        776⤵
        Modifies registry class
        
        PID:13304
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        777⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        778⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        779⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        780⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        781⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        782⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        783⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        784⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        785⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        786⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        787⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        788⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        789⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        790⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        791⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        792⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        793⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        794⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        795⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        796⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        797⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        798⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        799⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        800⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        801⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        802⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        803⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        804⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        805⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        806⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        807⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        808⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        809⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        810⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        811⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        812⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        813⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        814⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        815⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        816⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        817⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        818⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        819⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        820⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        821⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        822⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        823⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        824⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8036
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        825⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        826⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        827⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        828⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        829⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        830⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        831⤵
        Modifies registry class
        
        PID:7768
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        832⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        833⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        834⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        835⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        836⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        837⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        838⤵
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        839⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        840⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        841⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        842⤵
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        843⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        844⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        845⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        846⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8184 -s 408
        847⤵
        Program crash
        
        PID:7920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8184 -ip 8184
1⤵
PID:7940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
80KB

MD5
b76385bf7a04b2adb3581c786cb1845c

SHA1
ea8e4c8ca32dfb18979029ce31122444caabc567

SHA256
84944245ab1bdb15fe476d4ba3a20f3e72a0a2991926906d17599fe9ec45a2f6

SHA512
4b6cc9bbe79afcbc6153bffe261d403e43355aca62bde54f1af602fa51e2bba8f23f14f163f678c2fa8eddb5a8d1addf67360b7ddeb7c23c861a60f7826d9358

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
80KB

MD5
0ce4931527a2136aac25a9506c149c96

SHA1
8eb9bcf8507632606078cf1db069bbc71ae8af05

SHA256
c4de5aa504903c37fa959117a0bb2e78daa770062542e35b5d131f783ad9ac62

SHA512
ed2ad2ab36785e3fbf84f21569a3b2126932beaab2e0d740a09e04bdd914170783b55758ce6ff5a5a6ea49608fe639ad8f9040a39813710e50fcbc34addfee44

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
80KB

MD5
0e1da61f5255dbe16b28a33905d8d14e

SHA1
8b8a3ef55ff6d1366d991217cfbed0a63c0942e2

SHA256
be290bff20c8b96bf5888d37dd716dce95e0ecc767695e0b1d5d467ab7125355

SHA512
62a6f66fff5aa73d88d1c96ad2152f15804aa2b6d1b2b09c683a920e3d1f0ff4d0e7c37f6e6265df4d0f248ccb6371cd85aafb15ecc71584defab8ac700f8ce6

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
80KB

MD5
49ff2a4fe2971e6ea05da7842d3ab884

SHA1
76796627709901117cbe8731722c35a61e1fc0b1

SHA256
ad83e5bab702821408ce7a8007f3ea87bbbd09ea81c866bb52e8037b297bdf80

SHA512
0edf617b0d74d6a5c440ac2a4317bd30435a6c80a59d58768e36de73bbb5cd9910f28308dad328ea964696a5cbdf6271a2007c651cccd9fa68494ef6fb886ef6

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
80KB

MD5
064069c3aea385fe7248511f5e76bbfe

SHA1
9482bbb6fb190df50321c15c954ec4ccf3203ecb

SHA256
291df60dc344514e7af56f4dc126b639762ba0a7065e2937e152c4701dca2804

SHA512
53b045bfd243b84b966a00fcbb7914bc83418845312599bc48d57e4a303090e25a00d054533c98141fd149ce49b78e13f70b66e08a5e37494bd505fa32f8a067

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
aeeb6c69cbe6058e16f896d54e4b83ea

SHA1
c95e49cd32f422be531bcdaa0f0e18e1bc35adc3

SHA256
9c8134adb438439b2e74464e6a6788062fa88ff2ed22a5616c0f998a3998180f

SHA512
22c49081c14ee099b2623841ac8fd121d9af9e1520b4c5a2f16e3cefcaadd691889d44863dbf9b88092df2dc39b7096d72fb74d5d9d35f2b9e74035fa461805a

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
225d05d84a96938b3e006f1bbd0a8955

SHA1
e3969999bad04dd2b5af0a6526d22d90412b15f1

SHA256
4b4984c944db5c687847f08ee74d6c6f91d9ef4dadc6e253ffc0c7a499fa4811

SHA512
789ce1ef860bd25d5604462806b3f3b4df3e7795fc98c121ed23ea2ab2a7700dd399d3ace1b4477c9e14090c021d881e3d960e82e8cf8818265c5e95a136c71d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
80KB

MD5
e92f9d0ca6b73edc36213d92fc929549

SHA1
b28ebe8cef5227881115eb9a1a86bbf1ec10d957

SHA256
65cca6cb3f4f5ba12d55caedcef1b64fc19b796cf0585856972c67aec57b2f4b

SHA512
5fdaf363e94268745f1ed1e210ebd969070ee2a5802aa9f78af930380f20a6973ae251f55554cbeed926ef3fabf2d6bded1f2d75ada500eb5531573a5af5304a

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
29d5edcb1a28915a6de3acfaa93e661f

SHA1
cbc7686d6a3f5c72ae27367657325f4191d7c2ab

SHA256
447f99bcfe350298a523960af4e5f1a9cef08d33e43a820968b8941db52f9ea2

SHA512
89bb5edf220932e8cd5f555b24d38be06a8d31b6c98af604d0692bf497d325f6b30a8dc716e2299dc13887e794102494b5db0103aa325fc48c14ddcb9d2de7b9

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
80KB

MD5
e8be22fcfaa7e9d5d710e92caf94c436

SHA1
9c3a05d35d7081d6c7dd99ade8701ef397895b74

SHA256
5f6129b809e2c095fe970cd20f0cef23639b85e7efc32547d67d79a5c01f6a99

SHA512
38b7ddfd2984cd44b6b8c57e4256ee630ca4cfe781b8901c7003bf2b6b4117e68aeb41a8f70fc9db641001f6b051b497865d14e461a6d6f716d8024801f325fd

Download Submit
C:\Windows\SysWOW64\Cbeapmll.exe

Filesize
80KB

MD5
e49a2c167cc0b225f7240aa81700ad41

SHA1
a54556dfe285f10811af3d41884997f2a389d1fc

SHA256
eb07324a1aa7ac00daab8884826f1a9e5fa7eba2b41c39f2d29422f093441872

SHA512
5573cf54f33ae7ec8091bc47356b3856aa035eb65c16bcacfd13d52db28b20e5429920f346319efd2fc95402475d397d5bbe47958376637718972dcf4baa38f0

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
80KB

MD5
2be400e44a2d8b94920132e9928e7664

SHA1
3dc4971645f5ad140b764d86b484ec7e413612c7

SHA256
06b6817e5c97a8b49c414d480c0eef11e930d93e0767f669dc025f3779268adf

SHA512
d7094e66697e212a3ca1c93692b151862369954571c8a2317e306370d794d8f8a96bd97112cdc1d3f1ad197a9e78cf1029354ded7525d3e8c73847336e14c007

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
80KB

MD5
8cf0133ca9c52ad74c547dec3155f36a

SHA1
e263287baaa8177fc9310c53e760c6af7d200b8d

SHA256
6fae25336cc859413cceca8176c53c1f4f34874faef033a0450c28ae29e1699e

SHA512
129b5b5eda162357976a8c6fe43ed0112e91e8a018f8427334283c1d4c548014e13802bf94b16e65dbdf6704bd110b28d08593d463b00a4fa0c4cadc8bc80c6b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
275f77a226fb589418a79ed3772ffc0e

SHA1
6430a5aeb984eee04f6d39e482f769e861151db0

SHA256
32ac838b4951569a6ec6faa5becda9577914c5cf60c9d7e35c7aadb40757d79c

SHA512
d570b85f78eebc7cfdf902b340fb3faf2e9e77746bce13e015d6d6eb6e8f48ab48523e4136a5328d31a2f60f04f35dd7053d0498ffe1653bab530dce1832cd84

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
80KB

MD5
09c43ef28ce53f3c3121e665bd947654

SHA1
ae18939832cc349f19531e6cc624a81a3fe535d3

SHA256
6b546d2cc52ff319926c9b0f2a7305a7e5bfaab634cf95f7023e5a563bd74694

SHA512
3b751c2c3833ecf2383cee9f45a7ee1977ba89af1a01cea151ba50f00a146bfc52a9bb44bbe18250db3c1a85bd8a4d870d491e76ae169da744091639fdb00605

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
80KB

MD5
551ea4ff73266e27a34b1bd67aba8b79

SHA1
220e01e02e2539eeae2662ba784bacab47b2a874

SHA256
2d9ae77073dbdfcc6e3ed6028dee96b889deb131fa7338fc68d1a64cc0fe0371

SHA512
6aaf461e7e102a0bf82c324affff33b1d5d1bf28bed859013a08d522827e15f29d5a1bca5a95936ddf3cf91ca84b576c9ea6187374e6db5313d6b48eecebe78c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
9ff7d9bb20db325933d3c559e2b2724b

SHA1
dc0ec72471c7ce81bbc479a5dd5ed86b7a225fc2

SHA256
cb810d5a01b3c4ded1e2458299c4fc9a441233ec64d00e2a7b46382c6089e5bf

SHA512
c94d3c0547b6ba8b30965714c4f560925e10bc68abe17154b58b4195c84fc6be2b7a27f63de1a43ed23ff01f055f8d60b19181bf57094dd367258de177a72836

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
76ac8e5d5aeb4386e36e27c7083e8e3d

SHA1
0514b1d64c7838494c80655d4cad3573ce4b9d39

SHA256
13ea3c5ccf311a11f006a2143866385b6ef08d9dd3a63f1c06549fbd8aeddafd

SHA512
33cb8ba757a122c558aac05d481a44735828e1b4ace96b845a0cb078495892059fbc1537b1ee4fcb682ea152cd37e611815e9862eba6dcdfc194d6592a89778b

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
80KB

MD5
b0dd8d62f4158fa0a6b96388b2496fd7

SHA1
e15657f360273a9a319cb3bddc6b10d8a4e1e435

SHA256
c4abf401cf837b2b760b0122606a29b98fb31e7bece0a3232742c77fd8fd4533

SHA512
7e1f6038cab711891710109bee17dc712483caa9c3a00e4075a02fe7e449016f347a2143ab20016797ebc9f0fbaaf015146a07885474ebd018ddffad96b8d01f

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
80KB

MD5
498012e0b91d4802aff3408ff19491b5

SHA1
498762fff7fe69adf21c510f70abdfa0e5a7738c

SHA256
447c4a3a49652623c7fa3d8dd66e131d5f4d102491de331eac797655d0e202c5

SHA512
a131cdd0ce2b92bb8c79db96050808885e14aad569b6fd32c24bc28bb4cafc9265030a574594659010a595ea829c043a4ebb3e3292329096bf6bf4a64e28819d

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
25b064d3f2e3ed8c71ca92a4b8907a28

SHA1
94e1cd22881911c27d4b8ae20923ef7f1c50d109

SHA256
1083521b41a0bf3d872788aa899d612fb74d3197d26bb91a23670523e2bd0e5b

SHA512
88bf6f18ad7a01a2838f8639eb5b9674209efe6e7b552d121e9d932ccf4b961445687238214271793287f12bf40adee01fbf5772ff4d483753e0996cd03ad271

Download Submit
C:\Windows\SysWOW64\Ejbbmnnb.exe

Filesize
80KB

MD5
b605dc222854fee09fe2e93a36866919

SHA1
f3549ba4f9928be15063e0e70c5cdf649a1a027c

SHA256
cef137c88d50d3313a10be9c0cfab481b673f3f44efbe0b776364c45ecee113e

SHA512
f0d0181b84a720e97fcdd0b775ce36017ba9a5545c6b4ca30be5979a428873fec3d664bba555eafa78683a47deb193b9239b468726678fba6b31f325e9240ebe

Download Submit
C:\Windows\SysWOW64\Famjkl32.exe

Filesize
80KB

MD5
2d8c2381fb79c79c332ea4792a7fc552

SHA1
efbcef460ae1522b6b01f9464bd9fb9a98945256

SHA256
475b80cc6c3e1d105ff86406e55732ce73bfb5e58b0676976bcaa979c927542a

SHA512
e4b4ba377c4eca8734b2e5cdca57b6d216f91148b029e33f9c055f3bee97bab66b7f66c498517f115be98d0e39265f8437a50200bf005a477477ed7a7a08dc47

Download Submit
C:\Windows\SysWOW64\Fddqghpd.exe

Filesize
80KB

MD5
f06b19768db86c54d67224d5d04f5973

SHA1
ed29471dc94da4b5e2da2df95ecdb4897057f0f3

SHA256
1764331ad48383203968d7209ae2c4166a0f8aa18712b08867d93bbd383c7f84

SHA512
a423d07e6edd7e20056aab83326935bbfd67becefe2fc49f7db4355d9c315c7c402b325122e7fd791d1377c8fa3b9bd789fefdd002ce955f91b338ff6b05c5aa

Download Submit
C:\Windows\SysWOW64\Fdfmlhna.exe

Filesize
80KB

MD5
8b72dc5fccef55858ae4fcd23ab69454

SHA1
6af6c6570e6b2a3429bf609b8c119303d1564a01

SHA256
f1efa83867acc8413790e82773b7323d7b5f8e6ff8df8abc1dccb0898a6ed813

SHA512
fb62a28df4c9fc6b691edce78d3c250e543c6650f6e4e8d7c7c9c322769b6fddb5cf8d182b5cb49667216280645c30d653d61e56bf08d2ee85a7d46426ae9da9

Download Submit
C:\Windows\SysWOW64\Fdijbg32.exe

Filesize
80KB

MD5
8b316b4b34a438816a28f286024afe38

SHA1
de0c185e54a344058160a4eb380584b3da77016b

SHA256
900c78a67b3b1ef95366e6e49bf768f4e242f4d29c3f3e3bb772900ad93256cc

SHA512
808394549c118b3beb85aeb57a4f38e98536daa3b036e576a911c1cc4d4b7381ecaf5e3a1f609fc7045f970ddaf55a63eaa7393fae9e0e2ea094221f53f86912

Download Submit
C:\Windows\SysWOW64\Fdkggg32.exe

Filesize
80KB

MD5
85596eda933832c5c0b3a2066dc2ab7d

SHA1
70009a8860f9c3a3b73fa5b5da90502c7ea2a17e

SHA256
6d64215c211f085d78239d1e0a47f4adb1211a0b3e968e22c8fbb568b7d2c6d3

SHA512
d4a9a35ad15641b666c07249e4f297949d809c2183759ed6c9c6f806a9e2712372224844cb8a1704e53429943aaa023baac519449190448fdc124c5e36350cde

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
80KB

MD5
2be355418c1741520a51fb1c25dd468a

SHA1
1eada709a9cb91af26b82a892821ab669616a656

SHA256
2d5cee8c24d125f962cd6d3179db8bff3eddcb2b7645dce8c93a621148de21dc

SHA512
83582c3d93e0a3d603e1ebd090a88a4eab2b2c9e4ff37a9517776bec5894e2fdb79c82665235700406f6bcdca4d5104051d5c1f70e91b71647c02e2c22db469a

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
80KB

MD5
7706476b6ad340b32c49ffa69405409e

SHA1
5342e55a687aa71ff8d7711cf2d390c983b9601f

SHA256
bbc4113f4cc5211809762a575c234b822b71cda28e4f1e8e2f4bf8ce90246ef3

SHA512
9f6404b19deb10a8982e764bb31b566d366b92ca3e9571390cb053048bfaf59c4e6725c805d008982956d12073fa484333ac85a79ba6fa0ed2e645b7c7cfabb7

Download Submit
C:\Windows\SysWOW64\Fgbmccpg.exe

Filesize
80KB

MD5
9160f63e00c71feec66993b3d2412a3b

SHA1
24cf5c1ead53fa9994e3d6d46eb55c20f197b7c8

SHA256
fa93f6b2e9ad3c37a730fa99b54058be43476437cf1aa7e642533effd8ad9a4c

SHA512
7e716872f9125e3aa4a6c51459e487a68e5e42718365eebd70bb0b6661704a83011164a1e5361308b1ebb33a2e2f04023f82ec7c8d3b9fc6c35ebf6eca6cca5b

Download Submit
C:\Windows\SysWOW64\Fkqeib32.exe

Filesize
80KB

MD5
d94635d237d7613802671df6cc0b401a

SHA1
e11a75ea434b6a61172e0380ffc08a43894f60ec

SHA256
447395131cc517c67e9cd2f21f3aff844704401ccf1c19403cc60ed3bc38d12e

SHA512
f03d2460a3f3cdd51be195de7fd966ee0ca537d7505c2b52f6cd3148f9d89e1974e06b57c9c053792561632a17024253c510ae082fc7591cfdcdd47afd82cb3b

Download Submit
C:\Windows\SysWOW64\Fnmepn32.exe

Filesize
80KB

MD5
3c263f9d66b183d31236451c91cd2ef6

SHA1
d1fa6df43486accd129e20efa7cf4a05333ebb2c

SHA256
f273259bad8509df5118997278355833630ccf8c9983caeb6a57a382b1f85c86

SHA512
f0fbe3629f3012a0da1842aadd726db0536285a1a5f780f3a2c433ba984b8fbad2ab9073659123da7b0c305b258ef39ac2aa510e6b47e32d4261265a117df271

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
80KB

MD5
75a420c47e687c61e6f732d719d9871b

SHA1
ce7e7bf70e019ad2938c6418444812752a3f92b9

SHA256
8b9a4315d632ceec147d06acf5e7be1f880aafba2c4b921c3172dabc739ba552

SHA512
6b5a7e053f84e5e5880ada6d8b510750d09ad38530993b72f2cd56adb4407af84510f0794e40b4cd5f33d5c184a172506c31383cff4f0e84e6fef809b6e57903

Download Submit
C:\Windows\SysWOW64\Fonnop32.exe

Filesize
80KB

MD5
76b3f1a35d6888833eef59336e085c1a

SHA1
fd5df39e833d57723fcb95b25523db7acc311d31

SHA256
f98958f24bc454e4cfe087919a8740935a1e9299c92f2cef8b2019e2994dffcf

SHA512
95b5aa0d23afc584c04d75a214d1e02efd5925c16c925774b381d75a72d246e6fefdb44febd063579052f90a40ec684f66a9d0eeabe9d4b92341d4654abc5e78

Download Submit
C:\Windows\SysWOW64\Gbdoof32.exe

Filesize
80KB

MD5
503d731c02ce1420ef960ba663010f4a

SHA1
d7469ce50fbd9455731f4bec47543ae3bc4c6adb

SHA256
8b1c0b0fe8bd34a6ceb1adbca8f647a3c2013f18b217b51cd22b22a6686d611b

SHA512
e1c962fcf5c71d4b9f1b55e91ca054ba0266c694e32046f81f9e553582e9c2af2a082e64b236398f41376ab91f8b1320a761c814ec68f435022e4d78337ceac2

Download Submit
C:\Windows\SysWOW64\Gdncmghi.exe

Filesize
80KB

MD5
96924399482be6f5b8a6e1b2576161fd

SHA1
2704a4ab1093f62a516c0878c1146fa73b28f7be

SHA256
8c9279c013fd583878169520c9f69431ba455c9744c2c730ef3a4ea5cb10e86a

SHA512
2ad08bfd83e6048e55ede874aa0e02d36cd04a045e32965871f85f6d92c57edf74b0af75272fd24c91113f03a34cd33d570f16bbbb6c665e7dfb0875ccace913

Download Submit
C:\Windows\SysWOW64\Gempgj32.exe

Filesize
80KB

MD5
f3168bdee396f6a9f24fbd66a3e79b1e

SHA1
37645aa4442978e772fa10b362de4a2f1ef3a7c8

SHA256
35cdf45651f6d2edbbfea7fcaae51202b7d2cd4aca6378a0bb9c4d77c9a0e95a

SHA512
e65940d72eb3b463aeb6a4c5dbfa323e994ecb2c393477ab14aa3269dbeabfa2f3dc59ffeb1926f09e0060804229942bcb953a1856038120147315bffd99f1b2

Download Submit
C:\Windows\SysWOW64\Gkglja32.exe

Filesize
80KB

MD5
fd244823269289e57064747af6001fec

SHA1
5b6f8b987248ca706d31784cece7bc5a58839b3b

SHA256
439dc5cbe5f60f89f92e3f960fd9e19a6d5dbf02797c647f8dc3592cc3eb4cd2

SHA512
4eea31b7710a61c5dbb58bc7cb3db3ac3b3f60c33180b6ada1ed6e298f54f20a674b96fd2e5a8d7ece74dfc144834b9cc2c1832a8d6cb92096157b1d8e5aa251

Download Submit
C:\Windows\SysWOW64\Gkjhoq32.exe

Filesize
80KB

MD5
229ba7420d352a212efa14e3684984bc

SHA1
787160c019fe476abab48a5f67fd9a109896b72c

SHA256
315f077d3329d5e893ecac25ecc230fa8a3bf294880e1034a8c562d5cb622f29

SHA512
1cb90855a8f35a31e722c87d3dadd717e257b80e85d2273d09d1bb43353b32704e6f5879f7cdc1dd11e83a29270059562846e355d8391c02bec62ce24841e5ef

Download Submit
C:\Windows\SysWOW64\Glfmgp32.exe

Filesize
80KB

MD5
125928b8bb21c995424d1c9f360f8352

SHA1
3e38ecfafcef9a12b572061f8c5db872cb822fe5

SHA256
45e88999998b4eda5ce68c7f180c37d56b63e5a7456f71877f899086149e593e

SHA512
06bc1587c3887b19251a7392ff6af4e94459be44fce3354e74b52d54d6fd834e99d1b4768f9b00846d1ed0eb6aed7f4d1e8e28d029f3f301de67f94cb7ca2b8d

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
80KB

MD5
d34639888d2f9450d5ff5b1c2cbda787

SHA1
7a473a09ffd6a2abd7edd0cb9cd8309d41802ab5

SHA256
8d9cbd41cac002886fd829b8a0f8b5495426ccd9ab96bf42809bb77d31248f26

SHA512
e89d9cab2e2a653a5434a4d868f3c86f7137c0588b379e502fc78ac60e31963a4c66d7990b61794548623d2303ec48e8a588ddb87cf00b18a8ecfc1f15e8e913

Download Submit
C:\Windows\SysWOW64\Hienlpel.exe

Filesize
80KB

MD5
7488d51a261619c7b164540df7e433b1

SHA1
aed9302e8ed9a5838da5cbbb0f9c1e7a5aa24bb6

SHA256
17e9fd7932389a4c62a5e1970323c78328a56d77250c43ec3ce81b37359b9622

SHA512
22c9b07aaf1777cb47106f49dd867a3208cf367b3959e22a38414a7d2abadb9c43ca01c0d4e5bd85a8b5e564ac7441ee9d18f0dd03a7f09bbf40a98c584f2b24

Download Submit
C:\Windows\SysWOW64\Hnaqgd32.exe

Filesize
80KB

MD5
60ccb544bde7c46a80f898f874d4c0fd

SHA1
8b790fc25b2dba6c77697b255fcad739f08424c0

SHA256
5758d56e271f4b5fca0f416673bcd1dc1ac4244a23ed0845b55ee740215e1f80

SHA512
823af5fc5d544c953c4c8331d90bc2aa30cb1e987a8fbad7f50f1464d298f8a00ecfe5c5fb679bb1ef420abef2221131f37747a66b578eb89db3d740530b7822

Download Submit
C:\Windows\SysWOW64\Idghpmnp.exe

Filesize
80KB

MD5
3c87ca87792cb20896509ebc90575d28

SHA1
6e22ac510db61c02468e7cd6857825c1c105b686

SHA256
03d745f291918d508965e94fce09905e5c68844a9edf69b122f595f9b65d4f3e

SHA512
ff7f0779d37dd8a6ee26d6943f17230a4a4d855247c6337ac7e48fa0b330df1204aef0c580ad274e637e6f073e0763c078d5bfb521cb6f54b8450a4ab6c45bf9

Download Submit
C:\Windows\SysWOW64\Idkbkl32.exe

Filesize
80KB

MD5
3da7d2583702bd4343bdc7e1b6307565

SHA1
77f779bd1a705116115305df893576ef44ee7a27

SHA256
89137e58263877bd5af0ae0abaa78b413c035a7f58eb5362427837f63073452f

SHA512
151a1e24161c19d19e092056961514012587eed4be53b9ddf02c49b136fd600c354d905db5bf486ea0a46c02dc6db9a0bd9c094d63feda0de4ad12bfa1a78e0b

Download Submit
C:\Windows\SysWOW64\Igdnabjh.exe

Filesize
80KB

MD5
8575a2432988a87203c0f43b311f1fed

SHA1
cca301df1957159b1f22236e8df188d490f57582

SHA256
4d794d0a7c91e1348ff2f4c310c94e7c101f248b6729b1df5048367cfb0b9f92

SHA512
fe7645c05c6dd8d2a80eca53d8f5a6a5b9bed8bd8d65467f67f3ca73f717f0abcb6856e67f0fed7c58d0764dc39d0c06bab3006c78c1e3a5a6bb910b7af455e9

Download Submit
C:\Windows\SysWOW64\Ijegcm32.exe

Filesize
80KB

MD5
ae7fb7772d9f85c0a736f2910a1e71b4

SHA1
f4625d900fcf3ba26fbdc934ec114c6352d6d5a3

SHA256
21ef9ed8eaf25c3c80dae1e4de329dba8138cdfc20be19d4c3402e7ddbd61948

SHA512
3e06eb5d88e10b0c4bbb585e2cfb6fa35833496da015fc15912611fd14d31e2e0e16e31360025c73453ea4b6855747ba5b0df3fbd5e5613ce522459675d40564

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
80KB

MD5
7e75b666f940cef3929cd39d55ebe4ff

SHA1
c73c196c9a4d109bd57822b5fd6ae52464f646d1

SHA256
4e5801308e42115814a791f10ccc1a27871f7ae6e4f20f9028357b9d4a6331b3

SHA512
e83b60f0cad8533788ef6593ed3c98a65bbee8a0944bd379cc81df434c2d2612464cefeae96e061bae5865d7fae01dface4e6eaf6865d95a36e163e486df6fcc

Download Submit
C:\Windows\SysWOW64\Jjlmclqa.exe

Filesize
80KB

MD5
b19e2ac6043f2ebe546437c7b8b3dc75

SHA1
5311cd3d2160dbf1ca520fefb466fef46de05c76

SHA256
d0b7115b412bce664f40b18ddecac4fd766779e25798730db6d57d2b29e2ef37

SHA512
e82de8b572c6b62d44cb70f011d88e623a0307a4f6f32d50dba468cf05168243d4ce51e7343a976e9b64125f9f0b3d95a9c82d1178200d60ddeb11177ceb9fec

Download Submit
C:\Windows\SysWOW64\Kjhcjq32.exe

Filesize
80KB

MD5
8f138516f99212536561fb5e868d6aa2

SHA1
9a8a78add9a3782ea214f91f17248c0202b3eeb8

SHA256
70f6a1b06ddc6f0d9eabb909da272870a3081f09e800564593e5f4c1e6b3258f

SHA512
11382f1e48c8e7d353246f55c60c7f2f175a48c412c5b10cabb166578d9c8c51a2aaf2b6b42153550f1d7d14340e2e2b49489e2b7dc2fd0f2e3a7bc944c2735b

Download Submit
C:\Windows\SysWOW64\Laqhhi32.exe

Filesize
80KB

MD5
3bdd9c7ccbac7ad220057302bcc74fe1

SHA1
0bf52221a22ae8e03bf385336d8a72b31d73e720

SHA256
409ea9e3c062fde90bf81cab5893a7d4e03d7bad2d9ffea228e5e613f9314538

SHA512
1db0d39e90e7357eb4f05997247105b30e3634295aa11a4f907b52eab104833901ca7fb223ad02bc7e3b36c6eb7502776d5a371e410db2564059ef821dc22619

Download Submit
C:\Windows\SysWOW64\Mifljdjo.exe

Filesize
80KB

MD5
0a8d6af41e406e0f35006acffe9d437d

SHA1
423851408c40bfd90831da33d22277ec3f36e71a

SHA256
2116fb9619dfd8e9bea45e1c510a6e142fe1035a242ff41ca85f0aebff3654b0

SHA512
72e09221e85ef26237e9844f2cc9b5de65685ea60a8ec87e61d1b34ae1a69a1b32b10bd40b59586f5f9e1467998ce60577830830bcfc37a8a6c5fc26b578627f

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
80KB

MD5
290d0dc1f623ee54f25f558ecf1a57b2

SHA1
f9aaedb095a8ac0dbcb12f5a4726010bf2734592

SHA256
9cef60073e3e35e1ac1a11d3b848c8e7a64332152e0466a4174af96f8fa5985d

SHA512
61c5ee69aea0413ea6004977f8f5a61042368f599b1480c7a826e25a135fddc60df7a88fa471024c19f917da55664c40bb91daa9d836e3a73530fcac7d40ffa6

Download Submit
C:\Windows\SysWOW64\Njfagf32.exe

Filesize
80KB

MD5
70ff77a4b64eef6cd77d46b122d7a1ec

SHA1
018b76135cedcf4c9c38bd9764ecdacb5bd712bd

SHA256
ccd5cf7602d02df13af7fbd18c9b1ed78f03f8842e5df98986093170610201ae

SHA512
0339cacf2da330b658065af9652618276287a5487b4d0b50c96cd84e67d0ef44db0e50c95e8606abe65b8cfc1ba6bab1723ed20a5322260d85bd75c0c30c6624

Download Submit
C:\Windows\SysWOW64\Ojbacd32.exe

Filesize
80KB

MD5
6676c7188e2d864ef61410a2fdc492bf

SHA1
4531c39080dfdada3fb31ee7e064a9970082d79f

SHA256
e5a5b0ce8251271699e47bc7ce3479ba20f81c6cd7a178daeba3c728f3ecb63e

SHA512
3e43d9dd65bb89d5aa589679818da7c67108228cd2da9dcfcf8eb9d53fe2386f6557d692dd4b455cca642694be69951c86b598b5bc4a1a42e6daf198cefbee54

Download Submit
C:\Windows\SysWOW64\Ollnhb32.exe

Filesize
64KB

MD5
28f11273a3e7c8bb96e1ea81c7594ac8

SHA1
5f485063915aa3fd57cf443a0886705b542eed1e

SHA256
f8fe22c18b627fbf7718471ba0ccb7dd7df6e6eff77c3377a87025afdffbce9b

SHA512
64d3940f0543b38f4bcc1dd9ca720708b3e79ad7f7dd4d831b828aeb97605c04ae2a9f2552f24eae4ff13196e3fce8ff0fbfb38b50d96b244b2a079853e253ce

Download Submit
C:\Windows\SysWOW64\Ppamophb.exe

Filesize
80KB

MD5
2c1e819e3413640c18d3ba0534142d48

SHA1
2e1cf582a8901136e805568b2d62fa974fb5930d

SHA256
ee7d7f638586e0a0bfa310e160b5c2ffc4990db6d4212c328091a3f54eda231a

SHA512
61f2f3924eb7e3bd1509a68a7707e9dcb07f4dfc74eb5c5d621721f4e33a8a827ac6263e91c178ce2be7199f72bcb3ddf2e829234d7268a96e8f7a08c3498de9

Download Submit
memory/212-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/368-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/412-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3572-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3928-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-4376-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4388-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4339-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4338-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4369-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4374-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4389-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4381-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4383-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4636-4332-0x0000016428160000-0x0000016428161000-memory.dmp

Filesize
4KB

Download
memory/4716-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download