5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 21:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe
Size

80KB
MD5

8231069df5e0893cdb52539f0d7cbf68
SHA1

1750a0dafe3070a5e686b6a5776388671a2fe375
SHA256

5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540
SHA512

49886f8debbe04eb935f05ea88b497ce56ead991bdc057a54eb761a92fa68f3bb17484f88bb0279db7bd007710f165a65a95606a6e10e0433cf863b3b484057e
SSDEEP

1536:bxQwg/TWGeSVIrl84lMRq3cYI+I7f+ObqVPzFIiT5YMkhohBE8VGh:bA+td3cH7WObqVPzFIi1UAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkjaifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfjljhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbefkjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhonfjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdmojkjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfqogfjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coijja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccbln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioppho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfpcpefb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnbfjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alelkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hillnoif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcfcmnce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpfdkiac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclpbqal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdalkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaqgop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaccdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dicbfhni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admkgifd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doageg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfggbope.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmajbnha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eokjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckqoapgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjpaffhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idbalhho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biljib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njokei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdiafc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfkkmeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmamba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mclpbqal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjehok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofmndkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjklcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjdbda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndliin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfiiggpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnojcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poqckdap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhkkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peddhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncopcqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdaqhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbfaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpqcoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpnmele.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glpdjpbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnmhpoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlfqngm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhhdpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenffqf.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	Egpnooan.exe
3432	Fclhpo32.exe
1468	Fdkdibjp.exe
4268	Fqbeoc32.exe
3440	Fnffhgon.exe
3616	Fjmfmh32.exe
216	Gcghkm32.exe
1548	Gcjdam32.exe
4084	Gbkdod32.exe
1400	Gqpapacd.exe
2516	Gbpnjdkg.exe
2588	Gbbkocid.exe
1740	Hgapmj32.exe
2788	Hegmlnbp.exe
4056	Hbknebqi.exe
1444	Hkcbnh32.exe
1240	Iapjgo32.exe
4360	Ilhkigcd.exe
4776	Iholohii.exe
448	Ijpepcfj.exe
4760	Idhiii32.exe
4164	Jdjfohjg.exe
400	Janghmia.exe
4732	Jnbgaa32.exe
3176	Jhmhpfmi.exe
5088	Kahinkaf.exe
3780	Kefbdjgm.exe
3080	Khihld32.exe
2760	Lacijjgi.exe
960	Lhpnlclc.exe
2592	Lajokiaa.exe
1128	Mlbpma32.exe
2308	Mdnebc32.exe
1192	Mcoepkdo.exe
3092	Mepnaf32.exe
3684	Mafofggd.exe
3488	Mllccpfj.exe
1092	Medglemj.exe
2632	Nefdbekh.exe
4780	Nfiagd32.exe
3420	Napameoi.exe
4236	Ollljmhg.exe
4468	Odgqopeb.exe
1696	Okceaikl.exe
3620	Ohhfknjf.exe
4720	Obpkcc32.exe
632	Piolkm32.exe
456	Poidhg32.exe
5036	Pokanf32.exe
3996	Pkabbgol.exe
748	Qkdohg32.exe
3576	Qelcamcj.exe
2248	Aioebj32.exe
4124	Acdioc32.exe
1416	Apngjd32.exe
4320	Bihhhi32.exe
1844	Bikeni32.exe
4264	Blknpdho.exe
536	Bedbhi32.exe
376	Cefoni32.exe
1972	Cidgdg32.exe
4316	Cdlhgpag.exe
4172	Cmgjee32.exe
5076	Didqkeeq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lfkich32.exe	Lmcejbbd.exe
File created	C:\Windows\SysWOW64\Fkjjmpnl.dll	Mkhkblii.exe
File created	C:\Windows\SysWOW64\Fmbflm32.exe	Ffhnocfd.exe
File opened for modification	C:\Windows\SysWOW64\Kdbchp32.exe	Kacgld32.exe
File opened for modification	C:\Windows\SysWOW64\Ifcimb32.exe	Imjddmpl.exe
File created	C:\Windows\SysWOW64\Kingpj32.dll	Iicboncn.exe
File created	C:\Windows\SysWOW64\Oookgbpj.exe	Oakjnnap.exe
File opened for modification	C:\Windows\SysWOW64\Jggapj32.exe	Jmamba32.exe
File created	C:\Windows\SysWOW64\Cggpfa32.exe	Cmblhh32.exe
File created	C:\Windows\SysWOW64\Jcimnfna.dll	Hoglbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mfiedfmd.exe	Mkdagm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpnppap.exe	Jfffcf32.exe
File created	C:\Windows\SysWOW64\Dnbjbbqj.dll	Qgalelin.exe
File created	C:\Windows\SysWOW64\Fjaendej.dll	Jmfdpkeo.exe
File opened for modification	C:\Windows\SysWOW64\Lpcedbjp.exe	Liimgh32.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Ipohpdbb.exe	Ikbphn32.exe
File created	C:\Windows\SysWOW64\Apndloif.exe	Qecgcfmf.exe
File created	C:\Windows\SysWOW64\Glcelq32.exe	Gdlnkc32.exe
File opened for modification	C:\Windows\SysWOW64\Mmgfmg32.exe	Lepnli32.exe
File created	C:\Windows\SysWOW64\Hhigoqni.dll	Pjnipc32.exe
File created	C:\Windows\SysWOW64\Akaaggld.dll	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Oqadklae.dll	Iabodcnj.exe
File created	C:\Windows\SysWOW64\Gegilj32.dll	Oeahap32.exe
File created	C:\Windows\SysWOW64\Ncjjbhfe.dll	Ecjhmm32.exe
File created	C:\Windows\SysWOW64\Gaaccjhd.dll	Jcefgeif.exe
File created	C:\Windows\SysWOW64\Nocdpece.dll	Ndcdfnpa.exe
File opened for modification	C:\Windows\SysWOW64\Pnlafaio.exe	Pcgmiiii.exe
File created	C:\Windows\SysWOW64\Cieoen32.dll	Aioebj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnnlk32.exe	Nmlafk32.exe
File created	C:\Windows\SysWOW64\Kpebbije.dll	Jpfnqc32.exe
File created	C:\Windows\SysWOW64\Leecmgpa.dll	Nbkojo32.exe
File created	C:\Windows\SysWOW64\Hfljfjpq.exe	Hpbajp32.exe
File created	C:\Windows\SysWOW64\Aaeomcoo.dll	Maefnk32.exe
File created	C:\Windows\SysWOW64\Coijja32.exe	Cddemi32.exe
File created	C:\Windows\SysWOW64\Odcfdc32.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Hoglbc32.exe	Heohinog.exe
File created	C:\Windows\SysWOW64\Ecnbgian.exe	Eqpfknbj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfokoc.exe	Ngnnbq32.exe
File created	C:\Windows\SysWOW64\Cgaqphgl.exe	Cnhlgc32.exe
File created	C:\Windows\SysWOW64\Mkdagm32.exe	Mbkmngfn.exe
File created	C:\Windows\SysWOW64\Kdbchp32.exe	Kacgld32.exe
File created	C:\Windows\SysWOW64\Pcjaio32.exe	Peddhb32.exe
File created	C:\Windows\SysWOW64\Mafofggd.exe	Mepnaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgehobe.exe	Aklciimh.exe
File created	C:\Windows\SysWOW64\Hoepmd32.exe	Hdokok32.exe
File opened for modification	C:\Windows\SysWOW64\Hoglbc32.exe	Heohinog.exe
File created	C:\Windows\SysWOW64\Ijblmdkg.dll	Koggehff.exe
File created	C:\Windows\SysWOW64\Mgceqh32.exe	Mbfmha32.exe
File opened for modification	C:\Windows\SysWOW64\Pbpall32.exe	Pnplqn32.exe
File created	C:\Windows\SysWOW64\Gimjag32.exe	Gmfilfep.exe
File created	C:\Windows\SysWOW64\Akicfe32.dll	Gmfilfep.exe
File opened for modification	C:\Windows\SysWOW64\Pbkagfba.exe	Pcjaio32.exe
File opened for modification	C:\Windows\SysWOW64\Iicboncn.exe	Ifefbbdj.exe
File opened for modification	C:\Windows\SysWOW64\Keabkkdg.exe	Kdqecc32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqiak32.exe	Fiheheka.exe
File opened for modification	C:\Windows\SysWOW64\Mgceqh32.exe	Mbfmha32.exe
File created	C:\Windows\SysWOW64\Ljnqoldc.dll	Pnplqn32.exe
File opened for modification	C:\Windows\SysWOW64\Efikco32.exe	Eoocfegl.exe
File created	C:\Windows\SysWOW64\Bebmpc32.dll	Pgpmdh32.exe
File created	C:\Windows\SysWOW64\Fgpplf32.exe	Fdogjk32.exe
File opened for modification	C:\Windows\SysWOW64\Nmlhaa32.exe	Mhppik32.exe
File created	C:\Windows\SysWOW64\Pnogfchm.dll	Nhkpdi32.exe
File created	C:\Windows\SysWOW64\Mdmgdjbb.dll	Kfjjbd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
536	10108	WerFault.exe	978

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhibhfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnincal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjhjpin.dll"	Kfhnme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkdlkope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jafaem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqfceoje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obbekn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elenahhh.dll"	Ecblbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oapllk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kigoeagd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocegnoog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himche32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll"	Ehhpge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glngep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlapiaeg.dll"	Eegpkcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mflbjejb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pengna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbfaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iadljc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecafgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caakehij.dll"	Gcceifof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipniemf.dll"	Mkbcbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhfihp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgpkljo.dll"	Niqnli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaccdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenmdg32.dll"	Dbgdnelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegfb32.dll"	Mdjjgggk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmcejbbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkich32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcheq32.dll"	Nicjaino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehhgpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mllcocna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnnimbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll"	Kmeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npldnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idinej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doageg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjjgggk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odcfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhkca32.dll"	Nbhkjicf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njokei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hillnoif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnampdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnafmhi.dll"	Okgfdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bngdndfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkebbq32.dll"	Gheodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmkkdk32.dll"	Hdmojkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhkdob32.dll"	Dcdifdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foplnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphebml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knboee32.dll"	Gcagdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiaein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjdbda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkedbmab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhmjaaq.dll"	Alelkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eocegn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcaiocbn.dll"	Lmgfod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Limpiomm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 5112	4740	5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe	91
PID 4740 wrote to memory of 5112	4740	5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe	91
PID 4740 wrote to memory of 5112	4740	5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe	91
PID 5112 wrote to memory of 3432	5112	Egpnooan.exe	92
PID 5112 wrote to memory of 3432	5112	Egpnooan.exe	92
PID 5112 wrote to memory of 3432	5112	Egpnooan.exe	92
PID 3432 wrote to memory of 1468	3432	Fclhpo32.exe	93
PID 3432 wrote to memory of 1468	3432	Fclhpo32.exe	93
PID 3432 wrote to memory of 1468	3432	Fclhpo32.exe	93
PID 1468 wrote to memory of 4268	1468	Fdkdibjp.exe	94
PID 1468 wrote to memory of 4268	1468	Fdkdibjp.exe	94
PID 1468 wrote to memory of 4268	1468	Fdkdibjp.exe	94
PID 4268 wrote to memory of 3440	4268	Fqbeoc32.exe	95
PID 4268 wrote to memory of 3440	4268	Fqbeoc32.exe	95
PID 4268 wrote to memory of 3440	4268	Fqbeoc32.exe	95
PID 3440 wrote to memory of 3616	3440	Fnffhgon.exe	96
PID 3440 wrote to memory of 3616	3440	Fnffhgon.exe	96
PID 3440 wrote to memory of 3616	3440	Fnffhgon.exe	96
PID 3616 wrote to memory of 216	3616	Fjmfmh32.exe	97
PID 3616 wrote to memory of 216	3616	Fjmfmh32.exe	97
PID 3616 wrote to memory of 216	3616	Fjmfmh32.exe	97
PID 216 wrote to memory of 1548	216	Gcghkm32.exe	98
PID 216 wrote to memory of 1548	216	Gcghkm32.exe	98
PID 216 wrote to memory of 1548	216	Gcghkm32.exe	98
PID 1548 wrote to memory of 4084	1548	Gcjdam32.exe	99
PID 1548 wrote to memory of 4084	1548	Gcjdam32.exe	99
PID 1548 wrote to memory of 4084	1548	Gcjdam32.exe	99
PID 4084 wrote to memory of 1400	4084	Gbkdod32.exe	100
PID 4084 wrote to memory of 1400	4084	Gbkdod32.exe	100
PID 4084 wrote to memory of 1400	4084	Gbkdod32.exe	100
PID 1400 wrote to memory of 2516	1400	Gqpapacd.exe	101
PID 1400 wrote to memory of 2516	1400	Gqpapacd.exe	101
PID 1400 wrote to memory of 2516	1400	Gqpapacd.exe	101
PID 2516 wrote to memory of 2588	2516	Gbpnjdkg.exe	102
PID 2516 wrote to memory of 2588	2516	Gbpnjdkg.exe	102
PID 2516 wrote to memory of 2588	2516	Gbpnjdkg.exe	102
PID 2588 wrote to memory of 1740	2588	Gbbkocid.exe	103
PID 2588 wrote to memory of 1740	2588	Gbbkocid.exe	103
PID 2588 wrote to memory of 1740	2588	Gbbkocid.exe	103
PID 1740 wrote to memory of 2788	1740	Hgapmj32.exe	104
PID 1740 wrote to memory of 2788	1740	Hgapmj32.exe	104
PID 1740 wrote to memory of 2788	1740	Hgapmj32.exe	104
PID 2788 wrote to memory of 4056	2788	Hegmlnbp.exe	105
PID 2788 wrote to memory of 4056	2788	Hegmlnbp.exe	105
PID 2788 wrote to memory of 4056	2788	Hegmlnbp.exe	105
PID 4056 wrote to memory of 1444	4056	Hbknebqi.exe	106
PID 4056 wrote to memory of 1444	4056	Hbknebqi.exe	106
PID 4056 wrote to memory of 1444	4056	Hbknebqi.exe	106
PID 1444 wrote to memory of 1240	1444	Hkcbnh32.exe	107
PID 1444 wrote to memory of 1240	1444	Hkcbnh32.exe	107
PID 1444 wrote to memory of 1240	1444	Hkcbnh32.exe	107
PID 1240 wrote to memory of 4360	1240	Iapjgo32.exe	108
PID 1240 wrote to memory of 4360	1240	Iapjgo32.exe	108
PID 1240 wrote to memory of 4360	1240	Iapjgo32.exe	108
PID 4360 wrote to memory of 4776	4360	Ilhkigcd.exe	109
PID 4360 wrote to memory of 4776	4360	Ilhkigcd.exe	109
PID 4360 wrote to memory of 4776	4360	Ilhkigcd.exe	109
PID 4776 wrote to memory of 448	4776	Iholohii.exe	110
PID 4776 wrote to memory of 448	4776	Iholohii.exe	110
PID 4776 wrote to memory of 448	4776	Iholohii.exe	110
PID 448 wrote to memory of 4760	448	Ijpepcfj.exe	111
PID 448 wrote to memory of 4760	448	Ijpepcfj.exe	111
PID 448 wrote to memory of 4760	448	Ijpepcfj.exe	111
PID 4760 wrote to memory of 4164	4760	Idhiii32.exe	112

C:\Users\Admin\AppData\Local\Temp\5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe
"C:\Users\Admin\AppData\Local\Temp\5024a408f97e1f8f3469cb24b65d28e88dd01e2a02a7c2abe1caae9f60736540.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\Egpnooan.exe
  C:\Windows\system32\Egpnooan.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Fclhpo32.exe
    C:\Windows\system32\Fclhpo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\Fdkdibjp.exe
      C:\Windows\system32\Fdkdibjp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        23⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        24⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        25⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        26⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        27⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        28⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        29⤵
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        30⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        31⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        32⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        33⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        35⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        36⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        38⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        40⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        41⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        42⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        43⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        44⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        45⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        46⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        47⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        48⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        49⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        50⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        51⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        52⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        53⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        54⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        57⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        58⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        59⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        61⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        62⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Didqkeeq.exe
        
        C:\Windows\system32\Didqkeeq.exe
        66⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Elolco32.exe
        
        C:\Windows\system32\Elolco32.exe
        67⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        68⤵
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Fckaeioa.exe
        
        C:\Windows\system32\Fckaeioa.exe
        69⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Fgijkgeh.exe
        
        C:\Windows\system32\Fgijkgeh.exe
        70⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Ffnglc32.exe
        
        C:\Windows\system32\Ffnglc32.exe
        71⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Fdogjk32.exe
        
        C:\Windows\system32\Fdogjk32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Fgpplf32.exe
        
        C:\Windows\system32\Fgpplf32.exe
        73⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Gnjhhpgl.exe
        
        C:\Windows\system32\Gnjhhpgl.exe
        74⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        75⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        76⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Gjhonp32.exe
        
        C:\Windows\system32\Gjhonp32.exe
        77⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Hcembe32.exe
        
        C:\Windows\system32\Hcembe32.exe
        78⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Hjoeoo32.exe
        
        C:\Windows\system32\Hjoeoo32.exe
        79⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Hqkjaifk.exe
        
        C:\Windows\system32\Hqkjaifk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4532
        
        C:\Windows\SysWOW64\Ifjoop32.exe
        
        C:\Windows\system32\Ifjoop32.exe
        81⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Icnphd32.exe
        
        C:\Windows\system32\Icnphd32.exe
        82⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Iglhob32.exe
        
        C:\Windows\system32\Iglhob32.exe
        83⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Inhmqlmj.exe
        
        C:\Windows\system32\Inhmqlmj.exe
        84⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Jgjeppkp.exe
        
        C:\Windows\system32\Jgjeppkp.exe
        85⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jndmlj32.exe
        
        C:\Windows\system32\Jndmlj32.exe
        86⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jepbodhg.exe
        
        C:\Windows\system32\Jepbodhg.exe
        87⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kagbdenk.exe
        
        C:\Windows\system32\Kagbdenk.exe
        88⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        89⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Keghocao.exe
        
        C:\Windows\system32\Keghocao.exe
        90⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        91⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Kmeiie32.exe
        
        C:\Windows\system32\Kmeiie32.exe
        92⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Lmgfod32.exe
        
        C:\Windows\system32\Lmgfod32.exe
        93⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        94⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Lfddci32.exe
        
        C:\Windows\system32\Lfddci32.exe
        95⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lmqiec32.exe
        
        C:\Windows\system32\Lmqiec32.exe
        96⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdmngm32.exe
        
        C:\Windows\system32\Mdmngm32.exe
        97⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mobbdf32.exe
        
        C:\Windows\system32\Mobbdf32.exe
        98⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgngih32.exe
        
        C:\Windows\system32\Mgngih32.exe
        99⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Moglpedd.exe
        
        C:\Windows\system32\Moglpedd.exe
        100⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mhppik32.exe
        
        C:\Windows\system32\Mhppik32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Nmlhaa32.exe
        
        C:\Windows\system32\Nmlhaa32.exe
        102⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        103⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ndinck32.exe
        
        C:\Windows\system32\Ndinck32.exe
        104⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Nkebee32.exe
        
        C:\Windows\system32\Nkebee32.exe
        105⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Naokbokn.exe
        
        C:\Windows\system32\Naokbokn.exe
        106⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Nglcjfie.exe
        
        C:\Windows\system32\Nglcjfie.exe
        107⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nhkpdi32.exe
        
        C:\Windows\system32\Nhkpdi32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Oacdmo32.exe
        
        C:\Windows\system32\Oacdmo32.exe
        109⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        110⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        111⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        112⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Oookgbpj.exe
        
        C:\Windows\system32\Oookgbpj.exe
        113⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Pfmlok32.exe
        
        C:\Windows\system32\Pfmlok32.exe
        114⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Poeahaib.exe
        
        C:\Windows\system32\Poeahaib.exe
        115⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Qnpgdmjd.exe
        
        C:\Windows\system32\Qnpgdmjd.exe
        116⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Agjhbbob.exe
        
        C:\Windows\system32\Agjhbbob.exe
        117⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Aecbge32.exe
        
        C:\Windows\system32\Aecbge32.exe
        118⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        119⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Akogio32.exe
        
        C:\Windows\system32\Akogio32.exe
        120⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        121⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        122⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Biedhclh.exe
        
        C:\Windows\system32\Biedhclh.exe
        123⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Bfieagka.exe
        
        C:\Windows\system32\Bfieagka.exe
        124⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        125⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Beobcdoi.exe
        
        C:\Windows\system32\Beobcdoi.exe
        126⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Biljib32.exe
        
        C:\Windows\system32\Biljib32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Bbeobhlp.exe
        
        C:\Windows\system32\Bbeobhlp.exe
        128⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Cfbhhfbg.exe
        
        C:\Windows\system32\Cfbhhfbg.exe
        129⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Cnpibh32.exe
        
        C:\Windows\system32\Cnpibh32.exe
        130⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        131⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Cpbbak32.exe
        
        C:\Windows\system32\Cpbbak32.exe
        132⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Cfljnejl.exe
        
        C:\Windows\system32\Cfljnejl.exe
        133⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        134⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        135⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Dhpdkm32.exe
        
        C:\Windows\system32\Dhpdkm32.exe
        136⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Dbgdnelk.exe
        
        C:\Windows\system32\Dbgdnelk.exe
        137⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Dpkehi32.exe
        
        C:\Windows\system32\Dpkehi32.exe
        138⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Dfemdcba.exe
        
        C:\Windows\system32\Dfemdcba.exe
        139⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Doqbifpl.exe
        
        C:\Windows\system32\Doqbifpl.exe
        140⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Eekjep32.exe
        
        C:\Windows\system32\Eekjep32.exe
        141⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Efjgpc32.exe
        
        C:\Windows\system32\Efjgpc32.exe
        143⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        144⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ehnpmkbg.exe
        
        C:\Windows\system32\Ehnpmkbg.exe
        145⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Ebcdjc32.exe
        
        C:\Windows\system32\Ebcdjc32.exe
        146⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Eimlgnij.exe
        
        C:\Windows\system32\Eimlgnij.exe
        147⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        148⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Ehbihj32.exe
        
        C:\Windows\system32\Ehbihj32.exe
        149⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        150⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Fhefmjlp.exe
        
        C:\Windows\system32\Fhefmjlp.exe
        151⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Fbjjkble.exe
        
        C:\Windows\system32\Fbjjkble.exe
        152⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        153⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Fhiphi32.exe
        
        C:\Windows\system32\Fhiphi32.exe
        154⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Fhllni32.exe
        
        C:\Windows\system32\Fhllni32.exe
        155⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Fcaqka32.exe
        
        C:\Windows\system32\Fcaqka32.exe
        156⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Fljedg32.exe
        
        C:\Windows\system32\Fljedg32.exe
        157⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ggoiap32.exe
        
        C:\Windows\system32\Ggoiap32.exe
        158⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Gojnfb32.exe
        
        C:\Windows\system32\Gojnfb32.exe
        159⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Gedfblql.exe
        
        C:\Windows\system32\Gedfblql.exe
        160⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        161⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Glchjedc.exe
        
        C:\Windows\system32\Glchjedc.exe
        162⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Gcmpgpkp.exe
        
        C:\Windows\system32\Gcmpgpkp.exe
        163⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Hcommoin.exe
        
        C:\Windows\system32\Hcommoin.exe
        164⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        165⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Hcdfho32.exe
        
        C:\Windows\system32\Hcdfho32.exe
        166⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Hfbbdj32.exe
        
        C:\Windows\system32\Hfbbdj32.exe
        167⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Hcfcmnce.exe
        
        C:\Windows\system32\Hcfcmnce.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Hhckeeam.exe
        
        C:\Windows\system32\Hhckeeam.exe
        169⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Hcipcnac.exe
        
        C:\Windows\system32\Hcipcnac.exe
        170⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ioppho32.exe
        
        C:\Windows\system32\Ioppho32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1216
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        172⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Iqdfmajd.exe
        
        C:\Windows\system32\Iqdfmajd.exe
        173⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Imjgbb32.exe
        
        C:\Windows\system32\Imjgbb32.exe
        174⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Igpkok32.exe
        
        C:\Windows\system32\Igpkok32.exe
        175⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Jmmcgbnf.exe
        
        C:\Windows\system32\Jmmcgbnf.exe
        176⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Jcgldl32.exe
        
        C:\Windows\system32\Jcgldl32.exe
        177⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Jicdlc32.exe
        
        C:\Windows\system32\Jicdlc32.exe
        178⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Jcihjl32.exe
        
        C:\Windows\system32\Jcihjl32.exe
        179⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Jmamba32.exe
        
        C:\Windows\system32\Jmamba32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Jggapj32.exe
        
        C:\Windows\system32\Jggapj32.exe
        181⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Jqofippg.exe
        
        C:\Windows\system32\Jqofippg.exe
        182⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jfokff32.exe
        
        C:\Windows\system32\Jfokff32.exe
        183⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Kcehejic.exe
        
        C:\Windows\system32\Kcehejic.exe
        184⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Kplijk32.exe
        
        C:\Windows\system32\Kplijk32.exe
        185⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Kfhnme32.exe
        
        C:\Windows\system32\Kfhnme32.exe
        186⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        187⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Lmdbooik.exe
        
        C:\Windows\system32\Lmdbooik.exe
        188⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lcqgahoe.exe
        
        C:\Windows\system32\Lcqgahoe.exe
        189⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Limpiomm.exe
        
        C:\Windows\system32\Limpiomm.exe
        190⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ljmmcbdp.exe
        
        C:\Windows\system32\Ljmmcbdp.exe
        191⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Lfcmhc32.exe
        
        C:\Windows\system32\Lfcmhc32.exe
        192⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Lplaaiqd.exe
        
        C:\Windows\system32\Lplaaiqd.exe
        193⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Mdjjgggk.exe
        
        C:\Windows\system32\Mdjjgggk.exe
        194⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Mjdbda32.exe
        
        C:\Windows\system32\Mjdbda32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Mhhcne32.exe
        
        C:\Windows\system32\Mhhcne32.exe
        196⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        197⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        199⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        200⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        201⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        202⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        203⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        204⤵
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        205⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        206⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        207⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        208⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        209⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        210⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        211⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Opmcod32.exe
        
        C:\Windows\system32\Opmcod32.exe
        212⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        213⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Pkedbmab.exe
        
        C:\Windows\system32\Pkedbmab.exe
        214⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        215⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        216⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Pacfjfej.exe
        
        C:\Windows\system32\Pacfjfej.exe
        217⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Pjoknhbe.exe
        
        C:\Windows\system32\Pjoknhbe.exe
        218⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Pjahchpb.exe
        
        C:\Windows\system32\Pjahchpb.exe
        219⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        220⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        221⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        222⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        223⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7228
        
        C:\Windows\SysWOW64\Aqbfaa32.exe
        
        C:\Windows\system32\Aqbfaa32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        226⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        227⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Akjgdjoj.exe
        
        C:\Windows\system32\Akjgdjoj.exe
        228⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        229⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        230⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        231⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Bkamdi32.exe
        
        C:\Windows\system32\Bkamdi32.exe
        232⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        233⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Bndblcdq.exe
        
        C:\Windows\system32\Bndblcdq.exe
        234⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        235⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        236⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        238⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        239⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        240⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Cnpbgajc.exe
        
        C:\Windows\system32\Cnpbgajc.exe
        241⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        242⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Cjfclcpg.exe
        
        C:\Windows\system32\Cjfclcpg.exe
        243⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        244⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        245⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Djklgb32.exe
        
        C:\Windows\system32\Djklgb32.exe
        246⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7532
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        248⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        249⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        250⤵
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        251⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        252⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        254⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        255⤵
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Eiobbgcl.exe
        
        C:\Windows\system32\Eiobbgcl.exe
        256⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        257⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Fkbkoo32.exe
        
        C:\Windows\system32\Fkbkoo32.exe
        258⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Fehplggn.exe
        
        C:\Windows\system32\Fehplggn.exe
        259⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Fifhbf32.exe
        
        C:\Windows\system32\Fifhbf32.exe
        260⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Focakm32.exe
        
        C:\Windows\system32\Focakm32.exe
        261⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Fiheheka.exe
        
        C:\Windows\system32\Fiheheka.exe
        262⤵
        Drops file in System32 directory
        
        PID:8400
        
        C:\Windows\SysWOW64\Fbqiak32.exe
        
        C:\Windows\system32\Fbqiak32.exe
        263⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Ghmbib32.exe
        
        C:\Windows\system32\Ghmbib32.exe
        264⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Ghpooanf.exe
        
        C:\Windows\system32\Ghpooanf.exe
        265⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Gedohfmp.exe
        
        C:\Windows\system32\Gedohfmp.exe
        266⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        267⤵
        Modifies registry class
        
        PID:8624
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        268⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Glpdjpbj.exe
        
        C:\Windows\system32\Glpdjpbj.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716
        
        C:\Windows\SysWOW64\Hhiaepfl.exe
        
        C:\Windows\system32\Hhiaepfl.exe
        270⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Hembndee.exe
        
        C:\Windows\system32\Hembndee.exe
        271⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        272⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Hohcmjic.exe
        
        C:\Windows\system32\Hohcmjic.exe
        273⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Himgjbii.exe
        
        C:\Windows\system32\Himgjbii.exe
        274⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Hojpbigq.exe
        
        C:\Windows\system32\Hojpbigq.exe
        275⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Hedhoc32.exe
        
        C:\Windows\system32\Hedhoc32.exe
        276⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Hchihhng.exe
        
        C:\Windows\system32\Hchihhng.exe
        277⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Iheaqolo.exe
        
        C:\Windows\system32\Iheaqolo.exe
        278⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        279⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        280⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        281⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Ileflmpb.exe
        
        C:\Windows\system32\Ileflmpb.exe
        282⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Iabodcnj.exe
        
        C:\Windows\system32\Iabodcnj.exe
        283⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ilgcblnp.exe
        
        C:\Windows\system32\Ilgcblnp.exe
        284⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Iadljc32.exe
        
        C:\Windows\system32\Iadljc32.exe
        285⤵
        Modifies registry class
        
        PID:8472
        
        C:\Windows\SysWOW64\Ihndgmdd.exe
        
        C:\Windows\system32\Ihndgmdd.exe
        286⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        287⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        288⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Jjbjlpga.exe
        
        C:\Windows\system32\Jjbjlpga.exe
        289⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        290⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Jmepcj32.exe
        
        C:\Windows\system32\Jmepcj32.exe
        291⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Kfpqap32.exe
        
        C:\Windows\system32\Kfpqap32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8784
        
        C:\Windows\SysWOW64\Kjnihnmd.exe
        
        C:\Windows\system32\Kjnihnmd.exe
        293⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        294⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Kbinlp32.exe
        
        C:\Windows\system32\Kbinlp32.exe
        295⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Kfggbope.exe
        
        C:\Windows\system32\Kfggbope.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9052
        
        C:\Windows\SysWOW64\Lopkkdgf.exe
        
        C:\Windows\system32\Lopkkdgf.exe
        297⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Lobhqdec.exe
        
        C:\Windows\system32\Lobhqdec.exe
        298⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Lijlii32.exe
        
        C:\Windows\system32\Lijlii32.exe
        299⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        300⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Lkkekdhe.exe
        
        C:\Windows\system32\Lkkekdhe.exe
        301⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Lbenho32.exe
        
        C:\Windows\system32\Lbenho32.exe
        302⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Llmbqdfb.exe
        
        C:\Windows\system32\Llmbqdfb.exe
        303⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ljoboloa.exe
        
        C:\Windows\system32\Ljoboloa.exe
        304⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Mbjgcnll.exe
        
        C:\Windows\system32\Mbjgcnll.exe
        305⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Mpnglbkf.exe
        
        C:\Windows\system32\Mpnglbkf.exe
        306⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Mjcljk32.exe
        
        C:\Windows\system32\Mjcljk32.exe
        307⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Mclpbqal.exe
        
        C:\Windows\system32\Mclpbqal.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3148
        
        C:\Windows\SysWOW64\Mjehok32.exe
        
        C:\Windows\system32\Mjehok32.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8828
        
        C:\Windows\SysWOW64\Mcnmhpoj.exe
        
        C:\Windows\system32\Mcnmhpoj.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8924
        
        C:\Windows\SysWOW64\Mmfaafej.exe
        
        C:\Windows\system32\Mmfaafej.exe
        311⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Mimbfg32.exe
        
        C:\Windows\system32\Mimbfg32.exe
        312⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        313⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Npighq32.exe
        
        C:\Windows\system32\Npighq32.exe
        314⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Njokei32.exe
        
        C:\Windows\system32\Njokei32.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Npldnp32.exe
        
        C:\Windows\system32\Npldnp32.exe
        316⤵
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Nlbdba32.exe
        
        C:\Windows\system32\Nlbdba32.exe
        317⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Njceqili.exe
        
        C:\Windows\system32\Njceqili.exe
        318⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Ndliin32.exe
        
        C:\Windows\system32\Ndliin32.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1240
        
        C:\Windows\SysWOW64\Olgnnqpe.exe
        
        C:\Windows\system32\Olgnnqpe.exe
        320⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Ofmbkipk.exe
        
        C:\Windows\system32\Ofmbkipk.exe
        321⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Obccpj32.exe
        
        C:\Windows\system32\Obccpj32.exe
        322⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Omigmc32.exe
        
        C:\Windows\system32\Omigmc32.exe
        323⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Ojmgggdo.exe
        
        C:\Windows\system32\Ojmgggdo.exe
        324⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Okodlgbl.exe
        
        C:\Windows\system32\Okodlgbl.exe
        325⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Odhiemil.exe
        
        C:\Windows\system32\Odhiemil.exe
        326⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Pmpmnb32.exe
        
        C:\Windows\system32\Pmpmnb32.exe
        327⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        328⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Pkdngf32.exe
        
        C:\Windows\system32\Pkdngf32.exe
        329⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Ppafpm32.exe
        
        C:\Windows\system32\Ppafpm32.exe
        330⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Pkfjmfld.exe
        
        C:\Windows\system32\Pkfjmfld.exe
        331⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Ppccemjk.exe
        
        C:\Windows\system32\Ppccemjk.exe
        332⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Pmgcoaie.exe
        
        C:\Windows\system32\Pmgcoaie.exe
        333⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Pdalkk32.exe
        
        C:\Windows\system32\Pdalkk32.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Pmipdq32.exe
        
        C:\Windows\system32\Pmipdq32.exe
        335⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Pcfhlh32.exe
        
        C:\Windows\system32\Pcfhlh32.exe
        336⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Qmlmjq32.exe
        
        C:\Windows\system32\Qmlmjq32.exe
        337⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Qdfefkll.exe
        
        C:\Windows\system32\Qdfefkll.exe
        338⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Qnniopcm.exe
        
        C:\Windows\system32\Qnniopcm.exe
        339⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Qdhalj32.exe
        
        C:\Windows\system32\Qdhalj32.exe
        340⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Aiejda32.exe
        
        C:\Windows\system32\Aiejda32.exe
        341⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Acmomgoa.exe
        
        C:\Windows\system32\Acmomgoa.exe
        342⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Admkgifd.exe
        
        C:\Windows\system32\Admkgifd.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Ajjcoqdl.exe
        
        C:\Windows\system32\Ajjcoqdl.exe
        344⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Apcllk32.exe
        
        C:\Windows\system32\Apcllk32.exe
        345⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Ajlpepbi.exe
        
        C:\Windows\system32\Ajlpepbi.exe
        346⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Adadbi32.exe
        
        C:\Windows\system32\Adadbi32.exe
        347⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\Ajnmjp32.exe
        
        C:\Windows\system32\Ajnmjp32.exe
        348⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Acgacegg.exe
        
        C:\Windows\system32\Acgacegg.exe
        349⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Bnlfqngm.exe
        
        C:\Windows\system32\Bnlfqngm.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Bjeckojo.exe
        
        C:\Windows\system32\Bjeckojo.exe
        351⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Bdkghg32.exe
        
        C:\Windows\system32\Bdkghg32.exe
        352⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Bkepeaaa.exe
        
        C:\Windows\system32\Bkepeaaa.exe
        353⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Bdmdng32.exe
        
        C:\Windows\system32\Bdmdng32.exe
        354⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Bmhibi32.exe
        
        C:\Windows\system32\Bmhibi32.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9196
        
        C:\Windows\SysWOW64\Ccbaoc32.exe
        
        C:\Windows\system32\Ccbaoc32.exe
        356⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Cjlilndf.exe
        
        C:\Windows\system32\Cjlilndf.exe
        357⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Cdbmifdl.exe
        
        C:\Windows\system32\Cdbmifdl.exe
        358⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Cnjbbl32.exe
        
        C:\Windows\system32\Cnjbbl32.exe
        359⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Cqinng32.exe
        
        C:\Windows\system32\Cqinng32.exe
        360⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Cdfgdf32.exe
        
        C:\Windows\system32\Cdfgdf32.exe
        361⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Ckqoapgd.exe
        
        C:\Windows\system32\Ckqoapgd.exe
        362⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1136
        
        C:\Windows\SysWOW64\Cmblhh32.exe
        
        C:\Windows\system32\Cmblhh32.exe
        363⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Cggpfa32.exe
        
        C:\Windows\system32\Cggpfa32.exe
        364⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Dmiaig32.exe
        
        C:\Windows\system32\Dmiaig32.exe
        365⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Djoohk32.exe
        
        C:\Windows\system32\Djoohk32.exe
        366⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Dqigee32.exe
        
        C:\Windows\system32\Dqigee32.exe
        367⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Dkokbn32.exe
        
        C:\Windows\system32\Dkokbn32.exe
        368⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Eegpkcbd.exe
        
        C:\Windows\system32\Eegpkcbd.exe
        369⤵
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Ejdhcjpl.exe
        
        C:\Windows\system32\Ejdhcjpl.exe
        370⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Eeimqc32.exe
        
        C:\Windows\system32\Eeimqc32.exe
        371⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Eelifc32.exe
        
        C:\Windows\system32\Eelifc32.exe
        372⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Endnohdp.exe
        
        C:\Windows\system32\Endnohdp.exe
        373⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Ecafgo32.exe
        
        C:\Windows\system32\Ecafgo32.exe
        374⤵
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Ejkndijd.exe
        
        C:\Windows\system32\Ejkndijd.exe
        375⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Eepbabjj.exe
        
        C:\Windows\system32\Eepbabjj.exe
        376⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Enigjh32.exe
        
        C:\Windows\system32\Enigjh32.exe
        377⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Flmhclod.exe
        
        C:\Windows\system32\Flmhclod.exe
        378⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Feella32.exe
        
        C:\Windows\system32\Feella32.exe
        379⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Flodilma.exe
        
        C:\Windows\system32\Flodilma.exe
        380⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Fegiba32.exe
        
        C:\Windows\system32\Fegiba32.exe
        381⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Fnpmkg32.exe
        
        C:\Windows\system32\Fnpmkg32.exe
        382⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Fhhaclqc.exe
        
        C:\Windows\system32\Fhhaclqc.exe
        383⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Fmejlcoj.exe
        
        C:\Windows\system32\Fmejlcoj.exe
        384⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Fdobhm32.exe
        
        C:\Windows\system32\Fdobhm32.exe
        385⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Fjikeg32.exe
        
        C:\Windows\system32\Fjikeg32.exe
        386⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Gdaonmdd.exe
        
        C:\Windows\system32\Gdaonmdd.exe
        387⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Gjkgkg32.exe
        
        C:\Windows\system32\Gjkgkg32.exe
        388⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Ghohdk32.exe
        
        C:\Windows\system32\Ghohdk32.exe
        389⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Gmlplbib.exe
        
        C:\Windows\system32\Gmlplbib.exe
        390⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Gjpaffhl.exe
        
        C:\Windows\system32\Gjpaffhl.exe
        391⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9820
        
        C:\Windows\SysWOW64\Ghdaokfe.exe
        
        C:\Windows\system32\Ghdaokfe.exe
        392⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Gmqjga32.exe
        
        C:\Windows\system32\Gmqjga32.exe
        393⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Gdkbdllj.exe
        
        C:\Windows\system32\Gdkbdllj.exe
        394⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Hopfadlp.exe
        
        C:\Windows\system32\Hopfadlp.exe
        395⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Hdmojkjg.exe
        
        C:\Windows\system32\Hdmojkjg.exe
        396⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10036
        
        C:\Windows\SysWOW64\Hldgkiki.exe
        
        C:\Windows\system32\Hldgkiki.exe
        397⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Hdokok32.exe
        
        C:\Windows\system32\Hdokok32.exe
        398⤵
        Drops file in System32 directory
        
        PID:10120
        
        C:\Windows\SysWOW64\Hoepmd32.exe
        
        C:\Windows\system32\Hoepmd32.exe
        399⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Heohinog.exe
        
        C:\Windows\system32\Heohinog.exe
        400⤵
        Drops file in System32 directory
        
        PID:10204
        
        C:\Windows\SysWOW64\Hoglbc32.exe
        
        C:\Windows\system32\Hoglbc32.exe
        401⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Headon32.exe
        
        C:\Windows\system32\Headon32.exe
        402⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Hhbnqi32.exe
        
        C:\Windows\system32\Hhbnqi32.exe
        403⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Idinej32.exe
        
        C:\Windows\system32\Idinej32.exe
        404⤵
        Modifies registry class
        
        PID:9400
        
        C:\Windows\SysWOW64\Ionbcb32.exe
        
        C:\Windows\system32\Ionbcb32.exe
        405⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Iehkpmgl.exe
        
        C:\Windows\system32\Iehkpmgl.exe
        406⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Ikechced.exe
        
        C:\Windows\system32\Ikechced.exe
        407⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Ioclnblj.exe
        
        C:\Windows\system32\Ioclnblj.exe
        408⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Iaahjmkn.exe
        
        C:\Windows\system32\Iaahjmkn.exe
        409⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Ihkpgg32.exe
        
        C:\Windows\system32\Ihkpgg32.exe
        410⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Inhion32.exe
        
        C:\Windows\system32\Inhion32.exe
        411⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Idbalhho.exe
        
        C:\Windows\system32\Idbalhho.exe
        412⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9760
        
        C:\Windows\SysWOW64\Jafaem32.exe
        
        C:\Windows\system32\Jafaem32.exe
        413⤵
        Modifies registry class
        
        PID:9812
        
        C:\Windows\SysWOW64\Jhpjbgne.exe
        
        C:\Windows\system32\Jhpjbgne.exe
        414⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Jahnkl32.exe
        
        C:\Windows\system32\Jahnkl32.exe
        415⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\Jlnbhe32.exe
        
        C:\Windows\system32\Jlnbhe32.exe
        416⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Jakkplbc.exe
        
        C:\Windows\system32\Jakkplbc.exe
        417⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Jhdcmf32.exe
        
        C:\Windows\system32\Jhdcmf32.exe
        418⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Jookjpam.exe
        
        C:\Windows\system32\Jookjpam.exe
        419⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Jlblcdpf.exe
        
        C:\Windows\system32\Jlblcdpf.exe
        420⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Khimhefk.exe
        
        C:\Windows\system32\Khimhefk.exe
        421⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Kaaaak32.exe
        
        C:\Windows\system32\Kaaaak32.exe
        422⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Klgend32.exe
        
        C:\Windows\system32\Klgend32.exe
        423⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Kfpjgi32.exe
        
        C:\Windows\system32\Kfpjgi32.exe
        424⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Kklbop32.exe
        
        C:\Windows\system32\Kklbop32.exe
        425⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Kbfjljhf.exe
        
        C:\Windows\system32\Kbfjljhf.exe
        426⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9432
        
        C:\Windows\SysWOW64\Khpcid32.exe
        
        C:\Windows\system32\Khpcid32.exe
        427⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Knmkak32.exe
        
        C:\Windows\system32\Knmkak32.exe
        428⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Kkaljpmd.exe
        
        C:\Windows\system32\Kkaljpmd.exe
        429⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Kbkdgj32.exe
        
        C:\Windows\system32\Kbkdgj32.exe
        430⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Llqhdb32.exe
        
        C:\Windows\system32\Llqhdb32.exe
        431⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Lnbdlkje.exe
        
        C:\Windows\system32\Lnbdlkje.exe
        432⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Lmcejbbd.exe
        
        C:\Windows\system32\Lmcejbbd.exe
        433⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Lfkich32.exe
        
        C:\Windows\system32\Lfkich32.exe
        434⤵
        Modifies registry class
        
        PID:9896
        
        C:\Windows\SysWOW64\Lkhbko32.exe
        
        C:\Windows\system32\Lkhbko32.exe
        435⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Lfnfhg32.exe
        
        C:\Windows\system32\Lfnfhg32.exe
        436⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Lkjoqnei.exe
        
        C:\Windows\system32\Lkjoqnei.exe
        437⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Linojbdc.exe
        
        C:\Windows\system32\Linojbdc.exe
        438⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Mmlhpaji.exe
        
        C:\Windows\system32\Mmlhpaji.exe
        439⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Mnndhi32.exe
        
        C:\Windows\system32\Mnndhi32.exe
        440⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Mmodfqhf.exe
        
        C:\Windows\system32\Mmodfqhf.exe
        441⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Mbkmngfn.exe
        
        C:\Windows\system32\Mbkmngfn.exe
        442⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Mkdagm32.exe
        
        C:\Windows\system32\Mkdagm32.exe
        443⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mfiedfmd.exe
        
        C:\Windows\system32\Mfiedfmd.exe
        444⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Moajmk32.exe
        
        C:\Windows\system32\Moajmk32.exe
        445⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Mflbjejb.exe
        
        C:\Windows\system32\Mflbjejb.exe
        446⤵
        Modifies registry class
        
        PID:9808
        
        C:\Windows\SysWOW64\Mkhkblii.exe
        
        C:\Windows\system32\Mkhkblii.exe
        447⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Neaokboj.exe
        
        C:\Windows\system32\Neaokboj.exe
        448⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Nmjdaoni.exe
        
        C:\Windows\system32\Nmjdaoni.exe
        449⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Nmajbnha.exe
        
        C:\Windows\system32\Nmajbnha.exe
        450⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Nnbfjf32.exe
        
        C:\Windows\system32\Nnbfjf32.exe
        451⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10112
        
        C:\Windows\SysWOW64\Oihkgo32.exe
        
        C:\Windows\system32\Oihkgo32.exe
        452⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Oeoklp32.exe
        
        C:\Windows\system32\Oeoklp32.exe
        453⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Oeahap32.exe
        
        C:\Windows\system32\Oeahap32.exe
        454⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Onjmjegg.exe
        
        C:\Windows\system32\Onjmjegg.exe
        455⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Oecego32.exe
        
        C:\Windows\system32\Oecego32.exe
        456⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Onlipd32.exe
        
        C:\Windows\system32\Onlipd32.exe
        457⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Oefamoma.exe
        
        C:\Windows\system32\Oefamoma.exe
        458⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Olpjii32.exe
        
        C:\Windows\system32\Olpjii32.exe
        459⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Pfenga32.exe
        
        C:\Windows\system32\Pfenga32.exe
        460⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pmpfcl32.exe
        
        C:\Windows\system32\Pmpfcl32.exe
        461⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Poqckdap.exe
        
        C:\Windows\system32\Poqckdap.exe
        462⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Pmbcik32.exe
        
        C:\Windows\system32\Pmbcik32.exe
        463⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Qipjokik.exe
        
        C:\Windows\system32\Qipjokik.exe
        464⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Qlnfkgho.exe
        
        C:\Windows\system32\Qlnfkgho.exe
        465⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Qbhnga32.exe
        
        C:\Windows\system32\Qbhnga32.exe
        466⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Qlpcpffl.exe
        
        C:\Windows\system32\Qlpcpffl.exe
        467⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Abjkmqni.exe
        
        C:\Windows\system32\Abjkmqni.exe
        468⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Ampojimo.exe
        
        C:\Windows\system32\Ampojimo.exe
        469⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Aekdolkj.exe
        
        C:\Windows\system32\Aekdolkj.exe
        470⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Alelkf32.exe
        
        C:\Windows\system32\Alelkf32.exe
        471⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Aiimejap.exe
        
        C:\Windows\system32\Aiimejap.exe
        472⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Acaanp32.exe
        
        C:\Windows\system32\Acaanp32.exe
        473⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Aikijjon.exe
        
        C:\Windows\system32\Aikijjon.exe
        474⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Apeagd32.exe
        
        C:\Windows\system32\Apeagd32.exe
        475⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bllble32.exe
        
        C:\Windows\system32\Bllble32.exe
        476⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Bipcei32.exe
        
        C:\Windows\system32\Bipcei32.exe
        477⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bomknp32.exe
        
        C:\Windows\system32\Bomknp32.exe
        478⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Begcjjql.exe
        
        C:\Windows\system32\Begcjjql.exe
        479⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Blqlgdhi.exe
        
        C:\Windows\system32\Blqlgdhi.exe
        480⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Bckddn32.exe
        
        C:\Windows\system32\Bckddn32.exe
        481⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Bnphag32.exe
        
        C:\Windows\system32\Bnphag32.exe
        482⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Boaeioej.exe
        
        C:\Windows\system32\Boaeioej.exe
        483⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Bodano32.exe
        
        C:\Windows\system32\Bodano32.exe
        484⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Bjielh32.exe
        
        C:\Windows\system32\Bjielh32.exe
        485⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Cpcnhbjj.exe
        
        C:\Windows\system32\Cpcnhbjj.exe
        486⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Cfpfqiha.exe
        
        C:\Windows\system32\Cfpfqiha.exe
        487⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Cljomc32.exe
        
        C:\Windows\system32\Cljomc32.exe
        488⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Cgpcklpd.exe
        
        C:\Windows\system32\Cgpcklpd.exe
        489⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cllkcbnl.exe
        
        C:\Windows\system32\Cllkcbnl.exe
        490⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ccfcpm32.exe
        
        C:\Windows\system32\Ccfcpm32.exe
        491⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjpllgme.exe
        
        C:\Windows\system32\Cjpllgme.exe
        492⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        493⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Dqomdppm.exe
        
        C:\Windows\system32\Dqomdppm.exe
        494⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Djgbmffn.exe
        
        C:\Windows\system32\Djgbmffn.exe
        495⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Djjobedk.exe
        
        C:\Windows\system32\Djjobedk.exe
        496⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Dfqogfjo.exe
        
        C:\Windows\system32\Dfqogfjo.exe
        497⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Dqfceoje.exe
        
        C:\Windows\system32\Dqfceoje.exe
        498⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dgplai32.exe
        
        C:\Windows\system32\Dgplai32.exe
        499⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Dcglfjgf.exe
        
        C:\Windows\system32\Dcglfjgf.exe
        500⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Enlqdc32.exe
        
        C:\Windows\system32\Enlqdc32.exe
        501⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Egeemiml.exe
        
        C:\Windows\system32\Egeemiml.exe
        502⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Eqmjen32.exe
        
        C:\Windows\system32\Eqmjen32.exe
        503⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ejennd32.exe
        
        C:\Windows\system32\Ejennd32.exe
        504⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Eqpfknbj.exe
        
        C:\Windows\system32\Eqpfknbj.exe
        505⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Ecnbgian.exe
        
        C:\Windows\system32\Ecnbgian.exe
        506⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Emfgpo32.exe
        
        C:\Windows\system32\Emfgpo32.exe
        507⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Eglkmh32.exe
        
        C:\Windows\system32\Eglkmh32.exe
        508⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ecblbi32.exe
        
        C:\Windows\system32\Ecblbi32.exe
        509⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Fgqehgco.exe
        
        C:\Windows\system32\Fgqehgco.exe
        510⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Fqiiamjp.exe
        
        C:\Windows\system32\Fqiiamjp.exe
        511⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Fnmjkahi.exe
        
        C:\Windows\system32\Fnmjkahi.exe
        512⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Ffhnocfd.exe
        
        C:\Windows\system32\Ffhnocfd.exe
        513⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Fmbflm32.exe
        
        C:\Windows\system32\Fmbflm32.exe
        514⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ffjkdc32.exe
        
        C:\Windows\system32\Ffjkdc32.exe
        515⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Gcceifof.exe
        
        C:\Windows\system32\Gcceifof.exe
        516⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Gmkibl32.exe
        
        C:\Windows\system32\Gmkibl32.exe
        517⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ghanoeel.exe
        
        C:\Windows\system32\Ghanoeel.exe
        518⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Gplbcgbg.exe
        
        C:\Windows\system32\Gplbcgbg.exe
        519⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Gffkpa32.exe
        
        C:\Windows\system32\Gffkpa32.exe
        520⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Galonj32.exe
        
        C:\Windows\system32\Galonj32.exe
        521⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        522⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Hnblmnfa.exe
        
        C:\Windows\system32\Hnblmnfa.exe
        523⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Hfmqapcl.exe
        
        C:\Windows\system32\Hfmqapcl.exe
        524⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Hhmmkcko.exe
        
        C:\Windows\system32\Hhmmkcko.exe
        525⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Hphbpehj.exe
        
        C:\Windows\system32\Hphbpehj.exe
        526⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        527⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Iplkje32.exe
        
        C:\Windows\system32\Iplkje32.exe
        528⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Ikbphn32.exe
        
        C:\Windows\system32\Ikbphn32.exe
        529⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Ipohpdbb.exe
        
        C:\Windows\system32\Ipohpdbb.exe
        530⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ifipmo32.exe
        
        C:\Windows\system32\Ifipmo32.exe
        531⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Iandjg32.exe
        
        C:\Windows\system32\Iandjg32.exe
        532⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Igkmbn32.exe
        
        C:\Windows\system32\Igkmbn32.exe
        533⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Idonlbff.exe
        
        C:\Windows\system32\Idonlbff.exe
        534⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ikifhm32.exe
        
        C:\Windows\system32\Ikifhm32.exe
        535⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Jpfnqc32.exe
        
        C:\Windows\system32\Jpfnqc32.exe
        536⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Jognokdi.exe
        
        C:\Windows\system32\Jognokdi.exe
        537⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Jknocljn.exe
        
        C:\Windows\system32\Jknocljn.exe
        538⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Jahgpf32.exe
        
        C:\Windows\system32\Jahgpf32.exe
        539⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Jmnheggo.exe
        
        C:\Windows\system32\Jmnheggo.exe
        540⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jondojna.exe
        
        C:\Windows\system32\Jondojna.exe
        541⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Jpoagb32.exe
        
        C:\Windows\system32\Jpoagb32.exe
        542⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Jhfihp32.exe
        
        C:\Windows\system32\Jhfihp32.exe
        543⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Kaonaekb.exe
        
        C:\Windows\system32\Kaonaekb.exe
        544⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Kgkfil32.exe
        
        C:\Windows\system32\Kgkfil32.exe
        545⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Knenffqf.exe
        
        C:\Windows\system32\Knenffqf.exe
        546⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Kacgld32.exe
        
        C:\Windows\system32\Kacgld32.exe
        547⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Kdbchp32.exe
        
        C:\Windows\system32\Kdbchp32.exe
        548⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Koggehff.exe
        
        C:\Windows\system32\Koggehff.exe
        549⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Kphdma32.exe
        
        C:\Windows\system32\Kphdma32.exe
        550⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kgbljkca.exe
        
        C:\Windows\system32\Kgbljkca.exe
        551⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Knldfe32.exe
        
        C:\Windows\system32\Knldfe32.exe
        552⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Kgeiokao.exe
        
        C:\Windows\system32\Kgeiokao.exe
        553⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        554⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Lggeej32.exe
        
        C:\Windows\system32\Lggeej32.exe
        555⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Lonnfg32.exe
        
        C:\Windows\system32\Lonnfg32.exe
        556⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        557⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Lglopjkg.exe
        
        C:\Windows\system32\Lglopjkg.exe
        558⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Laacmbkm.exe
        
        C:\Windows\system32\Laacmbkm.exe
        559⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Lhkkjl32.exe
        
        C:\Windows\system32\Lhkkjl32.exe
        560⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Lnhdbc32.exe
        
        C:\Windows\system32\Lnhdbc32.exe
        561⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ldblon32.exe
        
        C:\Windows\system32\Ldblon32.exe
        562⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Lgqhki32.exe
        
        C:\Windows\system32\Lgqhki32.exe
        563⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mbfmha32.exe
        
        C:\Windows\system32\Mbfmha32.exe
        564⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Mgceqh32.exe
        
        C:\Windows\system32\Mgceqh32.exe
        565⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mqkijnkp.exe
        
        C:\Windows\system32\Mqkijnkp.exe
        566⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Mgebfhcl.exe
        
        C:\Windows\system32\Mgebfhcl.exe
        567⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Mnojcb32.exe
        
        C:\Windows\system32\Mnojcb32.exe
        568⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Mdibplaf.exe
        
        C:\Windows\system32\Mdibplaf.exe
        569⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Mggolhaj.exe
        
        C:\Windows\system32\Mggolhaj.exe
        570⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Mqpcdn32.exe
        
        C:\Windows\system32\Mqpcdn32.exe
        571⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Mgjkag32.exe
        
        C:\Windows\system32\Mgjkag32.exe
        572⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Mndcnafd.exe
        
        C:\Windows\system32\Mndcnafd.exe
        573⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Mdnlkl32.exe
        
        C:\Windows\system32\Mdnlkl32.exe
        574⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Nocphd32.exe
        
        C:\Windows\system32\Nocphd32.exe
        575⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Nildajdg.exe
        
        C:\Windows\system32\Nildajdg.exe
        576⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Nofmndkd.exe
        
        C:\Windows\system32\Nofmndkd.exe
        577⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2900
        
        C:\Windows\SysWOW64\Ndbefkjk.exe
        
        C:\Windows\system32\Ndbefkjk.exe
        578⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Nbfeoohe.exe
        
        C:\Windows\system32\Nbfeoohe.exe
        579⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Niqnli32.exe
        
        C:\Windows\system32\Niqnli32.exe
        580⤵
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nbibeo32.exe
        
        C:\Windows\system32\Nbibeo32.exe
        581⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Nicjaino.exe
        
        C:\Windows\system32\Nicjaino.exe
        582⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nbkojo32.exe
        
        C:\Windows\system32\Nbkojo32.exe
        583⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Okcccdkp.exe
        
        C:\Windows\system32\Okcccdkp.exe
        584⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Oapllk32.exe
        
        C:\Windows\system32\Oapllk32.exe
        585⤵
        Modifies registry class
        
        PID:10316
        
        C:\Windows\SysWOW64\Ogjdheqd.exe
        
        C:\Windows\system32\Ogjdheqd.exe
        586⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Ondleo32.exe
        
        C:\Windows\system32\Ondleo32.exe
        587⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\Okhmnc32.exe
        
        C:\Windows\system32\Okhmnc32.exe
        588⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Obbekn32.exe
        
        C:\Windows\system32\Obbekn32.exe
        589⤵
        Modifies registry class
        
        PID:10492
        
        C:\Windows\SysWOW64\Okkidceh.exe
        
        C:\Windows\system32\Okkidceh.exe
        590⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Olmficce.exe
        
        C:\Windows\system32\Olmficce.exe
        591⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\Obgofmjb.exe
        
        C:\Windows\system32\Obgofmjb.exe
        592⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\Plocob32.exe
        
        C:\Windows\system32\Plocob32.exe
        593⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\Pehghhgc.exe
        
        C:\Windows\system32\Pehghhgc.exe
        594⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\Pnplqn32.exe
        
        C:\Windows\system32\Pnplqn32.exe
        595⤵
        Drops file in System32 directory
        
        PID:10748
        
        C:\Windows\SysWOW64\Pbpall32.exe
        
        C:\Windows\system32\Pbpall32.exe
        596⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\Plifea32.exe
        
        C:\Windows\system32\Plifea32.exe
        597⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\Pbbnbkpe.exe
        
        C:\Windows\system32\Pbbnbkpe.exe
        598⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Qimfoe32.exe
        
        C:\Windows\system32\Qimfoe32.exe
        599⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Qpfokpoo.exe
        
        C:\Windows\system32\Qpfokpoo.exe
        600⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\Qecgcfmf.exe
        
        C:\Windows\system32\Qecgcfmf.exe
        601⤵
        Drops file in System32 directory
        
        PID:11004
        
        C:\Windows\SysWOW64\Apndloif.exe
        
        C:\Windows\system32\Apndloif.exe
        602⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\Aaoadg32.exe
        
        C:\Windows\system32\Aaoadg32.exe
        603⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Aified32.exe
        
        C:\Windows\system32\Aified32.exe
        604⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\Aocamk32.exe
        
        C:\Windows\system32\Aocamk32.exe
        605⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\Aemjjeek.exe
        
        C:\Windows\system32\Aemjjeek.exe
        606⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Algbfo32.exe
        
        C:\Windows\system32\Algbfo32.exe
        607⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\Aacjofkp.exe
        
        C:\Windows\system32\Aacjofkp.exe
        608⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Bhgeao32.exe
        
        C:\Windows\system32\Bhgeao32.exe
        609⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Baojkdqb.exe
        
        C:\Windows\system32\Baojkdqb.exe
        610⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Caagpdop.exe
        
        C:\Windows\system32\Caagpdop.exe
        611⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\Cpbgnlfo.exe
        
        C:\Windows\system32\Cpbgnlfo.exe
        612⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Cadcfd32.exe
        
        C:\Windows\system32\Cadcfd32.exe
        613⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\Cpedckdl.exe
        
        C:\Windows\system32\Cpedckdl.exe
        614⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Clldhljp.exe
        
        C:\Windows\system32\Clldhljp.exe
        615⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Ccfmef32.exe
        
        C:\Windows\system32\Ccfmef32.exe
        616⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Cipebqij.exe
        
        C:\Windows\system32\Cipebqij.exe
        617⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Cchikf32.exe
        
        C:\Windows\system32\Cchikf32.exe
        618⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Cibagpgg.exe
        
        C:\Windows\system32\Cibagpgg.exe
        619⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Coojpg32.exe
        
        C:\Windows\system32\Coojpg32.exe
        620⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Didnmp32.exe
        
        C:\Windows\system32\Didnmp32.exe
        621⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Doageg32.exe
        
        C:\Windows\system32\Doageg32.exe
        622⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Dapcab32.exe
        
        C:\Windows\system32\Dapcab32.exe
        623⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Dpqcoj32.exe
        
        C:\Windows\system32\Dpqcoj32.exe
        624⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Dabpgbpm.exe
        
        C:\Windows\system32\Dabpgbpm.exe
        625⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Dhlhcl32.exe
        
        C:\Windows\system32\Dhlhcl32.exe
        626⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Dcalae32.exe
        
        C:\Windows\system32\Dcalae32.exe
        627⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\Djkdnool.exe
        
        C:\Windows\system32\Djkdnool.exe
        628⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Dcdifdem.exe
        
        C:\Windows\system32\Dcdifdem.exe
        629⤵
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Djnaco32.exe
        
        C:\Windows\system32\Djnaco32.exe
        630⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Eokjke32.exe
        
        C:\Windows\system32\Eokjke32.exe
        631⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11232
        
        C:\Windows\SysWOW64\Ejpnin32.exe
        
        C:\Windows\system32\Ejpnin32.exe
        632⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Epjfehbd.exe
        
        C:\Windows\system32\Epjfehbd.exe
        633⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Ebkbmqhb.exe
        
        C:\Windows\system32\Ebkbmqhb.exe
        634⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Ehekjk32.exe
        
        C:\Windows\system32\Ehekjk32.exe
        635⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Eoocfegl.exe
        
        C:\Windows\system32\Eoocfegl.exe
        636⤵
        Drops file in System32 directory
        
        PID:7712
        
        C:\Windows\SysWOW64\Efikco32.exe
        
        C:\Windows\system32\Efikco32.exe
        637⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Ehhgpj32.exe
        
        C:\Windows\system32\Ehhgpj32.exe
        638⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Ejgdim32.exe
        
        C:\Windows\system32\Ejgdim32.exe
        639⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10460
        
        C:\Windows\SysWOW64\Elepei32.exe
        
        C:\Windows\system32\Elepei32.exe
        640⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Ecphbckp.exe
        
        C:\Windows\system32\Ecphbckp.exe
        641⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Ejiqom32.exe
        
        C:\Windows\system32\Ejiqom32.exe
        642⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Fqcilgji.exe
        
        C:\Windows\system32\Fqcilgji.exe
        643⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Fbeeco32.exe
        
        C:\Windows\system32\Fbeeco32.exe
        644⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Fmjjqhpn.exe
        
        C:\Windows\system32\Fmjjqhpn.exe
        645⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Fcdbmb32.exe
        
        C:\Windows\system32\Fcdbmb32.exe
        646⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Fjnjjlog.exe
        
        C:\Windows\system32\Fjnjjlog.exe
        647⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Fokbbcmo.exe
        
        C:\Windows\system32\Fokbbcmo.exe
        648⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\Ffekom32.exe
        
        C:\Windows\system32\Ffekom32.exe
        649⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\Fqjolfda.exe
        
        C:\Windows\system32\Fqjolfda.exe
        650⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Ffggdmbi.exe
        
        C:\Windows\system32\Ffggdmbi.exe
        651⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Foplnb32.exe
        
        C:\Windows\system32\Foplnb32.exe
        652⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Fjepkk32.exe
        
        C:\Windows\system32\Fjepkk32.exe
        653⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\Gcneca32.exe
        
        C:\Windows\system32\Gcneca32.exe
        654⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Gmfilfep.exe
        
        C:\Windows\system32\Gmfilfep.exe
        655⤵
        Drops file in System32 directory
        
        PID:8144
        
        C:\Windows\SysWOW64\Gimjag32.exe
        
        C:\Windows\system32\Gimjag32.exe
        656⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Gpgbna32.exe
        
        C:\Windows\system32\Gpgbna32.exe
        657⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Gjlfkj32.exe
        
        C:\Windows\system32\Gjlfkj32.exe
        658⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Gbgkpm32.exe
        
        C:\Windows\system32\Gbgkpm32.exe
        659⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Giacmggo.exe
        
        C:\Windows\system32\Giacmggo.exe
        660⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Gbjhelnp.exe
        
        C:\Windows\system32\Gbjhelnp.exe
        661⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Hidpbf32.exe
        
        C:\Windows\system32\Hidpbf32.exe
        662⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Hfhqkk32.exe
        
        C:\Windows\system32\Hfhqkk32.exe
        663⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Hppedpkf.exe
        
        C:\Windows\system32\Hppedpkf.exe
        664⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Hihimfag.exe
        
        C:\Windows\system32\Hihimfag.exe
        665⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Hpbajp32.exe
        
        C:\Windows\system32\Hpbajp32.exe
        666⤵
        Drops file in System32 directory
        
        PID:10672
        
        C:\Windows\SysWOW64\Hfljfjpq.exe
        
        C:\Windows\system32\Hfljfjpq.exe
        667⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Hfoflj32.exe
        
        C:\Windows\system32\Hfoflj32.exe
        668⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Himche32.exe
        
        C:\Windows\system32\Himche32.exe
        669⤵
        Modifies registry class
        
        PID:10896
        
        C:\Windows\SysWOW64\Hpgkeodo.exe
        
        C:\Windows\system32\Hpgkeodo.exe
        670⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Iippne32.exe
        
        C:\Windows\system32\Iippne32.exe
        671⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\Ipihkobl.exe
        
        C:\Windows\system32\Ipihkobl.exe
        672⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Ifhibhfc.exe
        
        C:\Windows\system32\Ifhibhfc.exe
        673⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Idljll32.exe
        
        C:\Windows\system32\Idljll32.exe
        674⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Iiibdc32.exe
        
        C:\Windows\system32\Iiibdc32.exe
        675⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\Idnfal32.exe
        
        C:\Windows\system32\Idnfal32.exe
        676⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Jjhonfjg.exe
        
        C:\Windows\system32\Jjhonfjg.exe
        677⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Jabgkpad.exe
        
        C:\Windows\system32\Jabgkpad.exe
        678⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Jjklcf32.exe
        
        C:\Windows\system32\Jjklcf32.exe
        679⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10268
        
        C:\Windows\SysWOW64\Jfalhgni.exe
        
        C:\Windows\system32\Jfalhgni.exe
        680⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Jiphebml.exe
        
        C:\Windows\system32\Jiphebml.exe
        681⤵
        Modifies registry class
        
        PID:10388
        
        C:\Windows\SysWOW64\Jpjqaldi.exe
        
        C:\Windows\system32\Jpjqaldi.exe
        682⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Jfdinf32.exe
        
        C:\Windows\system32\Jfdinf32.exe
        683⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Jibejb32.exe
        
        C:\Windows\system32\Jibejb32.exe
        684⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Jplmglbf.exe
        
        C:\Windows\system32\Jplmglbf.exe
        685⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\Jfffcf32.exe
        
        C:\Windows\system32\Jfffcf32.exe
        686⤵
        Drops file in System32 directory
        
        PID:8688
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        687⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Jdjfmjhm.exe
        
        C:\Windows\system32\Jdjfmjhm.exe
        688⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Kigoeagd.exe
        
        C:\Windows\system32\Kigoeagd.exe
        689⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Kpagbk32.exe
        
        C:\Windows\system32\Kpagbk32.exe
        690⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Kiikkada.exe
        
        C:\Windows\system32\Kiikkada.exe
        691⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Kpccgk32.exe
        
        C:\Windows\system32\Kpccgk32.exe
        692⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Kilhqq32.exe
        
        C:\Windows\system32\Kilhqq32.exe
        693⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Kgphje32.exe
        
        C:\Windows\system32\Kgphje32.exe
        694⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Kphmbjhi.exe
        
        C:\Windows\system32\Kphmbjhi.exe
        695⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Kmlmlo32.exe
        
        C:\Windows\system32\Kmlmlo32.exe
        696⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Kdffiinp.exe
        
        C:\Windows\system32\Kdffiinp.exe
        697⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Lkpnec32.exe
        
        C:\Windows\system32\Lkpnec32.exe
        698⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Lajfbmmi.exe
        
        C:\Windows\system32\Lajfbmmi.exe
        699⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Lgfojd32.exe
        
        C:\Windows\system32\Lgfojd32.exe
        700⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Lmqggncn.exe
        
        C:\Windows\system32\Lmqggncn.exe
        701⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Lkdgqbag.exe
        
        C:\Windows\system32\Lkdgqbag.exe
        702⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Lanpml32.exe
        
        C:\Windows\system32\Lanpml32.exe
        703⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Lnepbm32.exe
        
        C:\Windows\system32\Lnepbm32.exe
        704⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Lcbikd32.exe
        
        C:\Windows\system32\Lcbikd32.exe
        705⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Ljlagndl.exe
        
        C:\Windows\system32\Ljlagndl.exe
        706⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Lpfidh32.exe
        
        C:\Windows\system32\Lpfidh32.exe
        707⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Mgpaqbcf.exe
        
        C:\Windows\system32\Mgpaqbcf.exe
        708⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Maefnk32.exe
        
        C:\Windows\system32\Maefnk32.exe
        709⤵
        Drops file in System32 directory
        
        PID:8620
        
        C:\Windows\SysWOW64\Mgbnfb32.exe
        
        C:\Windows\system32\Mgbnfb32.exe
        710⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\Mnlfclip.exe
        
        C:\Windows\system32\Mnlfclip.exe
        711⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Mciokcgg.exe
        
        C:\Windows\system32\Mciokcgg.exe
        712⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Mjcghm32.exe
        
        C:\Windows\system32\Mjcghm32.exe
        713⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Mdhkefnj.exe
        
        C:\Windows\system32\Mdhkefnj.exe
        714⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Mkbcbp32.exe
        
        C:\Windows\system32\Mkbcbp32.exe
        715⤵
        Modifies registry class
        
        PID:8316
        
        C:\Windows\SysWOW64\Mallojmd.exe
        
        C:\Windows\system32\Mallojmd.exe
        716⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Mjhqcmjo.exe
        
        C:\Windows\system32\Mjhqcmjo.exe
        717⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Nqaipgal.exe
        
        C:\Windows\system32\Nqaipgal.exe
        718⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Nkgmmpab.exe
        
        C:\Windows\system32\Nkgmmpab.exe
        719⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Nqdeefpi.exe
        
        C:\Windows\system32\Nqdeefpi.exe
        720⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Ngnnbq32.exe
        
        C:\Windows\system32\Ngnnbq32.exe
        721⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Nnhfokoc.exe
        
        C:\Windows\system32\Nnhfokoc.exe
        722⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Ndbnkefp.exe
        
        C:\Windows\system32\Ndbnkefp.exe
        723⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Njogdldg.exe
        
        C:\Windows\system32\Njogdldg.exe
        724⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Nqioqf32.exe
        
        C:\Windows\system32\Nqioqf32.exe
        725⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Ncgkma32.exe
        
        C:\Windows\system32\Ncgkma32.exe
        726⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Nbhkjicf.exe
        
        C:\Windows\system32\Nbhkjicf.exe
        727⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Njcpok32.exe
        
        C:\Windows\system32\Njcpok32.exe
        728⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Oqmhlego.exe
        
        C:\Windows\system32\Oqmhlego.exe
        729⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Oggqho32.exe
        
        C:\Windows\system32\Oggqho32.exe
        730⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Obmeeh32.exe
        
        C:\Windows\system32\Obmeeh32.exe
        731⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Ocnampdp.exe
        
        C:\Windows\system32\Ocnampdp.exe
        732⤵
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Onceji32.exe
        
        C:\Windows\system32\Onceji32.exe
        733⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Odnngclb.exe
        
        C:\Windows\system32\Odnngclb.exe
        734⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Okgfdm32.exe
        
        C:\Windows\system32\Okgfdm32.exe
        735⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ognginic.exe
        
        C:\Windows\system32\Ognginic.exe
        736⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Onhoehpp.exe
        
        C:\Windows\system32\Onhoehpp.exe
        737⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Ocegnoog.exe
        
        C:\Windows\system32\Ocegnoog.exe
        738⤵
        Modifies registry class
        
        PID:8944
        
        C:\Windows\SysWOW64\Peddhb32.exe
        
        C:\Windows\system32\Peddhb32.exe
        739⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Pcjaio32.exe
        
        C:\Windows\system32\Pcjaio32.exe
        740⤵
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Pbkagfba.exe
        
        C:\Windows\system32\Pbkagfba.exe
        741⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Pclnon32.exe
        
        C:\Windows\system32\Pclnon32.exe
        742⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Pbmnlf32.exe
        
        C:\Windows\system32\Pbmnlf32.exe
        743⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Pgjfdm32.exe
        
        C:\Windows\system32\Pgjfdm32.exe
        744⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Pndoagfc.exe
        
        C:\Windows\system32\Pndoagfc.exe
        745⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Pengna32.exe
        
        C:\Windows\system32\Pengna32.exe
        746⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Qnfkgfdp.exe
        
        C:\Windows\system32\Qnfkgfdp.exe
        747⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Qepccqlm.exe
        
        C:\Windows\system32\Qepccqlm.exe
        748⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Qnihlf32.exe
        
        C:\Windows\system32\Qnihlf32.exe
        749⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Qgalelin.exe
        
        C:\Windows\system32\Qgalelin.exe
        750⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Abfqbdhd.exe
        
        C:\Windows\system32\Abfqbdhd.exe
        751⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Achmjmnb.exe
        
        C:\Windows\system32\Achmjmnb.exe
        752⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Ajbegg32.exe
        
        C:\Windows\system32\Ajbegg32.exe
        753⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Ahffqk32.exe
        
        C:\Windows\system32\Ahffqk32.exe
        754⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Anpnmele.exe
        
        C:\Windows\system32\Anpnmele.exe
        755⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9136
        
        C:\Windows\SysWOW64\Ahhbfkbf.exe
        
        C:\Windows\system32\Ahhbfkbf.exe
        756⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Aaqgop32.exe
        
        C:\Windows\system32\Aaqgop32.exe
        757⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8500
        
        C:\Windows\SysWOW64\Alfkli32.exe
        
        C:\Windows\system32\Alfkli32.exe
        758⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Aaccdp32.exe
        
        C:\Windows\system32\Aaccdp32.exe
        759⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ahmlaj32.exe
        
        C:\Windows\system32\Ahmlaj32.exe
        760⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Bngdndfn.exe
        
        C:\Windows\system32\Bngdndfn.exe
        761⤵
        Modifies registry class
        
        PID:8516
        
        C:\Windows\SysWOW64\Beqljn32.exe
        
        C:\Windows\system32\Beqljn32.exe
        762⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Baocpnmf.exe
        
        C:\Windows\system32\Baocpnmf.exe
        763⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Cobciblp.exe
        
        C:\Windows\system32\Cobciblp.exe
        764⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Caapfnkd.exe
        
        C:\Windows\system32\Caapfnkd.exe
        765⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Coepob32.exe
        
        C:\Windows\system32\Coepob32.exe
        766⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Chmehhpn.exe
        
        C:\Windows\system32\Chmehhpn.exe
        767⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Cbcieqpd.exe
        
        C:\Windows\system32\Cbcieqpd.exe
        768⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Cddemi32.exe
        
        C:\Windows\system32\Cddemi32.exe
        769⤵
        Drops file in System32 directory
        
        PID:10436
        
        C:\Windows\SysWOW64\Coijja32.exe
        
        C:\Windows\system32\Coijja32.exe
        770⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7776
        
        C:\Windows\SysWOW64\Cefolk32.exe
        
        C:\Windows\system32\Cefolk32.exe
        771⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Donceaac.exe
        
        C:\Windows\system32\Donceaac.exe
        772⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Ddpeigle.exe
        
        C:\Windows\system32\Ddpeigle.exe
        773⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Dlgmjdlg.exe
        
        C:\Windows\system32\Dlgmjdlg.exe
        774⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Dacebkko.exe
        
        C:\Windows\system32\Dacebkko.exe
        775⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Ddbbngjb.exe
        
        C:\Windows\system32\Ddbbngjb.exe
        776⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Dccbln32.exe
        
        C:\Windows\system32\Dccbln32.exe
        777⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7520
        
        C:\Windows\SysWOW64\Eolpfo32.exe
        
        C:\Windows\system32\Eolpfo32.exe
        778⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Ecjhmm32.exe
        
        C:\Windows\system32\Ecjhmm32.exe
        779⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Elbmebbj.exe
        
        C:\Windows\system32\Elbmebbj.exe
        780⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\Eaoenjqa.exe
        
        C:\Windows\system32\Eaoenjqa.exe
        781⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Ednajepe.exe
        
        C:\Windows\system32\Ednajepe.exe
        782⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Eocegn32.exe
        
        C:\Windows\system32\Eocegn32.exe
        783⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Fhljpcfk.exe
        
        C:\Windows\system32\Fhljpcfk.exe
        784⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Foebmn32.exe
        
        C:\Windows\system32\Foebmn32.exe
        785⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Fljcfa32.exe
        
        C:\Windows\system32\Fljcfa32.exe
        786⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Fafkoiji.exe
        
        C:\Windows\system32\Fafkoiji.exe
        787⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Fcfhhk32.exe
        
        C:\Windows\system32\Fcfhhk32.exe
        788⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Fhbpqb32.exe
        
        C:\Windows\system32\Fhbpqb32.exe
        789⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Fomhnmgp.exe
        
        C:\Windows\system32\Fomhnmgp.exe
        790⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Fdiafc32.exe
        
        C:\Windows\system32\Fdiafc32.exe
        791⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4712
        
        C:\Windows\SysWOW64\Fckacknf.exe
        
        C:\Windows\system32\Fckacknf.exe
        792⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Gdlnkc32.exe
        
        C:\Windows\system32\Gdlnkc32.exe
        793⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Glcelq32.exe
        
        C:\Windows\system32\Glcelq32.exe
        794⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Gdnjabab.exe
        
        C:\Windows\system32\Gdnjabab.exe
        795⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Gcagdj32.exe
        
        C:\Windows\system32\Gcagdj32.exe
        796⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Gfpcpefb.exe
        
        C:\Windows\system32\Gfpcpefb.exe
        797⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1700
        
        C:\Windows\SysWOW64\Gohhik32.exe
        
        C:\Windows\system32\Gohhik32.exe
        798⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Gdeqaa32.exe
        
        C:\Windows\system32\Gdeqaa32.exe
        799⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Hicihp32.exe
        
        C:\Windows\system32\Hicihp32.exe
        800⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Hcimei32.exe
        
        C:\Windows\system32\Hcimei32.exe
        801⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Hejjmage.exe
        
        C:\Windows\system32\Hejjmage.exe
        802⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Hbnjfefo.exe
        
        C:\Windows\system32\Hbnjfefo.exe
        803⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Hflclcle.exe
        
        C:\Windows\system32\Hflclcle.exe
        804⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Hmfkin32.exe
        
        C:\Windows\system32\Hmfkin32.exe
        805⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Hillnoif.exe
        
        C:\Windows\system32\Hillnoif.exe
        806⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Hpfdkiac.exe
        
        C:\Windows\system32\Hpfdkiac.exe
        807⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9272
        
        C:\Windows\SysWOW64\Ifplgc32.exe
        
        C:\Windows\system32\Ifplgc32.exe
        808⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Imjddmpl.exe
        
        C:\Windows\system32\Imjddmpl.exe
        809⤵
        Drops file in System32 directory
        
        PID:9756
        
        C:\Windows\SysWOW64\Ifcimb32.exe
        
        C:\Windows\system32\Ifcimb32.exe
        810⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\Iiaein32.exe
        
        C:\Windows\system32\Iiaein32.exe
        811⤵
        Modifies registry class
        
        PID:9524
        
        C:\Windows\SysWOW64\Ipkneh32.exe
        
        C:\Windows\system32\Ipkneh32.exe
        812⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Ifefbbdj.exe
        
        C:\Windows\system32\Ifefbbdj.exe
        813⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Iicboncn.exe
        
        C:\Windows\system32\Iicboncn.exe
        814⤵
        Drops file in System32 directory
        
        PID:8292
        
        C:\Windows\SysWOW64\Ifgbhbbh.exe
        
        C:\Windows\system32\Ifgbhbbh.exe
        815⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Imakdl32.exe
        
        C:\Windows\system32\Imakdl32.exe
        816⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Ickcaf32.exe
        
        C:\Windows\system32\Ickcaf32.exe
        817⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Ilfhfh32.exe
        
        C:\Windows\system32\Ilfhfh32.exe
        818⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Jmfdpkeo.exe
        
        C:\Windows\system32\Jmfdpkeo.exe
        819⤵
        Drops file in System32 directory
        
        PID:9844
        
        C:\Windows\SysWOW64\Jcplle32.exe
        
        C:\Windows\system32\Jcplle32.exe
        820⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\Jeaidn32.exe
        
        C:\Windows\system32\Jeaidn32.exe
        821⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Jcbibeki.exe
        
        C:\Windows\system32\Jcbibeki.exe
        822⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Jioajliq.exe
        
        C:\Windows\system32\Jioajliq.exe
        823⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Jcefgeif.exe
        
        C:\Windows\system32\Jcefgeif.exe
        824⤵
        Drops file in System32 directory
        
        PID:10156
        
        C:\Windows\SysWOW64\Jfcbcp32.exe
        
        C:\Windows\system32\Jfcbcp32.exe
        825⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Jlpklg32.exe
        
        C:\Windows\system32\Jlpklg32.exe
        826⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Jcgbmd32.exe
        
        C:\Windows\system32\Jcgbmd32.exe
        827⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Jehoemmb.exe
        
        C:\Windows\system32\Jehoemmb.exe
        828⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Klbgag32.exe
        
        C:\Windows\system32\Klbgag32.exe
        829⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Kblpnall.exe
        
        C:\Windows\system32\Kblpnall.exe
        830⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Kifhkkci.exe
        
        C:\Windows\system32\Kifhkkci.exe
        831⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Kdllhdco.exe
        
        C:\Windows\system32\Kdllhdco.exe
        832⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Kmdqai32.exe
        
        C:\Windows\system32\Kmdqai32.exe
        833⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Kdnincal.exe
        
        C:\Windows\system32\Kdnincal.exe
        834⤵
        Modifies registry class
        
        PID:9480
        
        C:\Windows\SysWOW64\Kikafjoc.exe
        
        C:\Windows\system32\Kikafjoc.exe
        835⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Kdqecc32.exe
        
        C:\Windows\system32\Kdqecc32.exe
        836⤵
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Keabkkdg.exe
        
        C:\Windows\system32\Keabkkdg.exe
        837⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Klljhe32.exe
        
        C:\Windows\system32\Klljhe32.exe
        838⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Kipkaj32.exe
        
        C:\Windows\system32\Kipkaj32.exe
        839⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Lfckjnjh.exe
        
        C:\Windows\system32\Lfckjnjh.exe
        840⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Lmncgh32.exe
        
        C:\Windows\system32\Lmncgh32.exe
        841⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Leihlj32.exe
        
        C:\Windows\system32\Leihlj32.exe
        842⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Lekeajmm.exe
        
        C:\Windows\system32\Lekeajmm.exe
        843⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Ldleoa32.exe
        
        C:\Windows\system32\Ldleoa32.exe
        844⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Liimgh32.exe
        
        C:\Windows\system32\Liimgh32.exe
        845⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lpcedbjp.exe
        
        C:\Windows\system32\Lpcedbjp.exe
        846⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Lepnli32.exe
        
        C:\Windows\system32\Lepnli32.exe
        847⤵
        Drops file in System32 directory
        
        PID:9400
        
        C:\Windows\SysWOW64\Mmgfmg32.exe
        
        C:\Windows\system32\Mmgfmg32.exe
        848⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Mdanjaqf.exe
        
        C:\Windows\system32\Mdanjaqf.exe
        849⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Mllcocna.exe
        
        C:\Windows\system32\Mllcocna.exe
        850⤵
        Modifies registry class
        
        PID:10084
        
        C:\Windows\SysWOW64\Mcfkkmeo.exe
        
        C:\Windows\system32\Mcfkkmeo.exe
        851⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3088
        
        C:\Windows\SysWOW64\Mlnpdc32.exe
        
        C:\Windows\system32\Mlnpdc32.exe
        852⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Mgddal32.exe
        
        C:\Windows\system32\Mgddal32.exe
        853⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Njlcdf32.exe
        
        C:\Windows\system32\Njlcdf32.exe
        854⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Nebdighb.exe
        
        C:\Windows\system32\Nebdighb.exe
        855⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ndcdfnpa.exe
        
        C:\Windows\system32\Ndcdfnpa.exe
        856⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Nnlhod32.exe
        
        C:\Windows\system32\Nnlhod32.exe
        857⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Nciahk32.exe
        
        C:\Windows\system32\Nciahk32.exe
        858⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Olaeqp32.exe
        
        C:\Windows\system32\Olaeqp32.exe
        859⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Ocknmjcf.exe
        
        C:\Windows\system32\Ocknmjcf.exe
        860⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Odkjgm32.exe
        
        C:\Windows\system32\Odkjgm32.exe
        861⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Ogifci32.exe
        
        C:\Windows\system32\Ogifci32.exe
        862⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Oncopcqj.exe
        
        C:\Windows\system32\Oncopcqj.exe
        863⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9924
        
        C:\Windows\SysWOW64\Odmgmmhf.exe
        
        C:\Windows\system32\Odmgmmhf.exe
        864⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\Onekeb32.exe
        
        C:\Windows\system32\Onekeb32.exe
        865⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Ocbdni32.exe
        
        C:\Windows\system32\Ocbdni32.exe
        866⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Ojllkcdk.exe
        
        C:\Windows\system32\Ojllkcdk.exe
        867⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Oqfdgn32.exe
        
        C:\Windows\system32\Oqfdgn32.exe
        868⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Pgpmdh32.exe
        
        C:\Windows\system32\Pgpmdh32.exe
        869⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Pjnipc32.exe
        
        C:\Windows\system32\Pjnipc32.exe
        870⤵
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Pcgmiiii.exe
        
        C:\Windows\system32\Pcgmiiii.exe
        871⤵
        Drops file in System32 directory
        
        PID:9376
        
        C:\Windows\SysWOW64\Pnlafaio.exe
        
        C:\Windows\system32\Pnlafaio.exe
        872⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Pdfjcl32.exe
        
        C:\Windows\system32\Pdfjcl32.exe
        873⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Pfgfkd32.exe
        
        C:\Windows\system32\Pfgfkd32.exe
        874⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Pmangnmg.exe
        
        C:\Windows\system32\Pmangnmg.exe
        875⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Pggbdgmm.exe
        
        C:\Windows\system32\Pggbdgmm.exe
        876⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Pnakaa32.exe
        
        C:\Windows\system32\Pnakaa32.exe
        877⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Pflpfcbe.exe
        
        C:\Windows\system32\Pflpfcbe.exe
        878⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Pqbdclak.exe
        
        C:\Windows\system32\Pqbdclak.exe
        879⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Qfolkcpb.exe
        
        C:\Windows\system32\Qfolkcpb.exe
        880⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10108 -s 400
        881⤵
        Program crash
        
        PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:8764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 10108 -ip 10108
1⤵
PID:10112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apngjd32.exe

Filesize
80KB

MD5
0439c66c86a30ae7bf786b011e9c949d

SHA1
ccbf3b11801143d1ca36db2109d447937e5c2140

SHA256
83c33124943633c5420cdb7bc8ada971bd222a1de4c70194588ea6bc1535a469

SHA512
522993ffe88fbe5733c496da1c7e7cadb08969753084e198eee1b828505cc82ba8ede5939204c7b861b47b307560733ec1a04403b24eb299054cf416298a38b1

Download Submit
C:\Windows\SysWOW64\Bikeni32.exe

Filesize
80KB

MD5
b41cdeae383ba7dc969400c03b701dca

SHA1
f011e44c1f9e95436cb9be6c28d0591e3f6c4f6c

SHA256
a1d4185b929232fcac6c31598e97bcc5049683490ee996f273928fde4b4fc7c3

SHA512
ecc8ce7d285d41c80a6fe2a597589bf150990ce997ab83fc23f9d9322636cf80f82e29876f309ff4e0f4017c335fdd23d876705fb9f4f874ff35ca0141f84769

Download Submit
C:\Windows\SysWOW64\Dbgdnelk.exe

Filesize
80KB

MD5
abc4c140c2578fe297e372bac3d24925

SHA1
6c9f5305bae7e1738b2ca5c4cb30346e50062f0c

SHA256
1905005982d8aadec97a931ca7143120f24faa1285ef80858d98201e23f8b894

SHA512
e1e9602ec563f7d8bd1b372a42c14cbae63b5a3260b8d32ef8eccb23cada9ece9abaefb47de5dbe07759e9ece76b8218e477a22d51bbaad2410af50f029d86e6

Download Submit
C:\Windows\SysWOW64\Didqkeeq.exe

Filesize
80KB

MD5
60c2489a17e7e03df7a6bfd43aa187a0

SHA1
88a7644d02948f91b62ef16bb2de3e4d0c012563

SHA256
a1601e1209960a6b7e2f9a75558493eacf289d08487bb3aba0d2d6f78ed5930c

SHA512
2eff56e06598107251868a04abde7485c01dbbccd37fbebecbb1cf094340cc4a77160167a1e913e2543271bb6ed4f49e2c8cb578dd5b6013cf227bd444dc3aa4

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
80KB

MD5
420469fc3019cdb569ddb173e8bf4f16

SHA1
302ca753df7d918b11b9f162ac4eb54ce0115278

SHA256
d7a94f7e5d74ced9f8b71b5c737d25ac5b708d8da870a3df6b3ded1c50575c3c

SHA512
ff27977a8b2afa650f8d6d71b71ea4aae27b64c02503a20fd18c979c91e0b37d516abb61963150a850f5eb6084850960399e0ed5e4f06c46437bfe2aafb23ffc

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
80KB

MD5
fa7a1b7c156115998507c93b9ffad33e

SHA1
98838ce11469b619f739ccf1bb342db6d02b40a4

SHA256
db3d23327e321c1c1996e3f681f7db1a1ef151e1a7ec33b1b8666ff7469a3833

SHA512
307bd9772917e6f2fc25f68c6653a1e907f2888186cc0af55c4790bd57e08095c1b611d97885e77ed160e41e6e905112034b5a9aa397e562f5338df9b84bcf80

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
80KB

MD5
9a277ca1ac92f6869666b34969e75407

SHA1
f6ff039084079f47f60107b722cf7fb23a7f61aa

SHA256
00afd07278c0dac948514255a4944b2d6aeabcf58b9df419cdff6474970cd4d3

SHA512
bae521d0f7d5fc59a408adcd61ebda3c7aafd0c3fc3567e181c9b268237111e0f2400babdafa23d55cc193a193259d7fd2f2826a9ef6fd5f2898561148b15fee

Download Submit
C:\Windows\SysWOW64\Fegiba32.exe

Filesize
80KB

MD5
cc92b60f1288e1a51e64c72231d24aef

SHA1
b1f0e4d5d2bbbb8200986a9f31d3eb0bb30ff7ab

SHA256
446c7a2e73a69d874d36381f0b49c8e8f2f1744a3fbda52a6afc6d70103ed039

SHA512
48ac20e78d5c1825c5c01d5df746748483a51ce9e1d65fc23442778fc97f88b4b36a6c78cadc0b7dd571963494a7b26770bc375eb2a253e154db3ea654e4c9fd

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
80KB

MD5
1454bde98639207999e4726ad6782d4f

SHA1
055fa5c054b8a780972d31449f256cbfb303ca02

SHA256
9d53a090ac941f20ccbe4e70b52af442540397760e09904dd859574e5b9673b1

SHA512
c24bfc0bdd4a5e3e5f9f005d8dc29fe287b0d51cfa5e84d7719e4ddb8190a824253869419d92345b7e3ad5a6553e0430645adc88473fa145b3198bdbb480bbaa

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
80KB

MD5
c5e6893ba3b2767bf4224550e17272aa

SHA1
29de189a1f2e152df42b74d15db72e115aa7b0ef

SHA256
a3d8c55b6e4a0aff28068c76815fd75a344ef1561f77bb442ce09aeebd7c4b4a

SHA512
4fcc12840428ef15a0762cf2d0b0cbb8c24755b1556f8345837fe9acbb7b8125c1bc8bde5294cf394f2a3b5f8a97306606f89c18c8d6ad87f1fdb6c2e571cbb6

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
80KB

MD5
4d51935c43084fc989f9ef33e41f2c09

SHA1
5fd95686a9982184ea18b6cb5d6142944818d248

SHA256
46a29e17bf099cf0ddc7f3c523e2e661e74b47a4f0cb6575f40f35edd8244f8c

SHA512
4d2e2b7fb7077fb120c31b7fcfffe1afe20b649b1f2247ebedce9b2b038a30a67271f66235ad30f545ea36d810bbd7b8c57fd0beb5b009dbe7dbdc0ea4c4d2f8

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
80KB

MD5
47826019c7002758bac3e2ec53984b9e

SHA1
2117f72f741c7819a3d8ab6ce2c61f894ab453e0

SHA256
75bfd555658654dc1838454f6f36a6b82b7d901cfcd9620d24ae1165e24ebbba

SHA512
191fa7796799573a399f16c6296f876ca31911ba1a36ecc15704bc599dce46a9de6eac595b1b33cd8692afc62c0b507e1dc262f85f85977060b8d830628a8096

Download Submit
C:\Windows\SysWOW64\Gbkdod32.exe

Filesize
80KB

MD5
0f9ff13b674b93a34b80ca15ca8b5bf8

SHA1
e88e94af01c9142e26b56e8a5a309b2db21518df

SHA256
32875fdc12ed7b885e1d283d6cbda24a01ff352d9ff4a0d9be90377131ee6f19

SHA512
9ffe764a8c480ef0a589cef462a8e5e1290db8ff4c3af1f053d431cdbb45bc86dfdb569e3c5802815ce92af01256692f7c54d3c6835581c46d70ac60633bd301

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
80KB

MD5
3bd3b4bc1e15a7ef62f9fea5f56ca190

SHA1
4cddc4146adc7cafdde712c4b356c4a6f29a7810

SHA256
11cfab567be8b11a44d2333f26a802e7d1b1cc3bc5843742c6a6349514321683

SHA512
f7b0030aac4de7c0c12e61efb61cbd572248ca1758e6e0b3f6783a80dfdc6cd323fa45fa90df632fdddd9cd7f36210d75469dafe74a2f08d578b249de9c7a66b

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
80KB

MD5
35c855284477dcde4e2b6a553ea312d2

SHA1
709d74cb4c3d0cfdcf1295ed8209844d20f1c836

SHA256
e2a4902a0eb329a4f417576a3e085af663cb60b2953425c1571a90e98510a955

SHA512
7d21b16047fc0fe5521999338e6522c1e3854758a93fd115b6d2ba0dbaeb3d7c0c119f0dac96959300b7a047b11afa8ab0230502cb09535f7565a8fd19e1e54f

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
80KB

MD5
7136728debddca9800a2d62683787225

SHA1
14b7b4498c986b9619962f6be32fc7f30ed5b377

SHA256
44fe01f9b1b0178c24b1a83bc4d0365eadb5c20ebf0caa2eea83365fbddd0d2b

SHA512
1a238ab9a070abf4242900b30af775975839d35486adbe50eb35e35bfd2f9c87643484443a729506b0873ec7aec5151ae34c879c152cc1e0c6d04abc667c3cd0

Download Submit
C:\Windows\SysWOW64\Gnjhhpgl.exe

Filesize
80KB

MD5
2d83bc9b991557a15d31d24d23663eea

SHA1
f04be2b9ccacae4991e7522f947805142b67ee04

SHA256
1c229f10a8f628237648c56fe36164c071f2de0f1daddbcf28bb04164df6ab0e

SHA512
c4354b7fc2fbdad99dcb6f0c4c331270912736fe88ad2e17c1d794a4a7c17c5f0c5973eb550077ea23724520ee1a720cdb171236535a2f5f356d868fe0d4aade

Download Submit
C:\Windows\SysWOW64\Gqpapacd.exe

Filesize
80KB

MD5
1b7704153e39d1b716f9ffe504a72607

SHA1
534ade5217f492390810d580ea88a35f846c80ff

SHA256
ba54fd6fc94218b2f45dfcb31d8e48dc88204cf5c60466f0d8b73adc347149a0

SHA512
8c5ce0d41f40967a8c9e2e3126aa6098a619a920ca3d5ed14db62fa74b92378986629bad9b74417b8941cab271a29de9590006f58a213dbd46591e365623c785

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
80KB

MD5
7d4be59428838ec319dfadebd6ae0b2d

SHA1
d06c4de5b75888c7b4a63dcc07196fb8ce4da38f

SHA256
9b0bc50673764b7b755e89ce9402ccb73726379af48dc715ccf3e866cb01af1b

SHA512
9ea6442ef46135f0e50fc1a426a471530aabeb40c9a25bd63130c464433ce6dd5483f9c31c2da2e905100273149b2d475c742e8d9609cc278eef188a6be13313

Download Submit
C:\Windows\SysWOW64\Hcfcmnce.exe

Filesize
80KB

MD5
c72667c4a09657271e42c55917bcaab5

SHA1
83407cb9728a89180792dcdf1f15275774453219

SHA256
7327978915fa6d3c0c281d46df3ff5953c0d73d7f1859dc4a23f0095e4b02091

SHA512
e10a9b2305f00f1f465bb87f743a7a018736b42f78ee9427d7f6f8f9b1748c0f1457dff545b2dac901c1451ca780f88ac4cffe73cd9c917894d720fa60cefdc7

Download Submit
C:\Windows\SysWOW64\Hegmlnbp.exe

Filesize
80KB

MD5
04034a5bdf94cffb527592bf988b5af7

SHA1
03d3d9c6f32b39aebef5b4447ea32291e1c987bc

SHA256
34b37e872193f7ce76e81d880f8c0d277c65d91d52e595c579dded3b74c4f887

SHA512
6135e4e81b16c4df9d91bc2845004daf194614618c8701f53b17c6f2bad21c443bfbb754312b1b59c110d3c021793ad40ad91af55619a5432fdaf7c192f5ed79

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
80KB

MD5
ff5dbe758632f317048af60886a7e37f

SHA1
c6b70d6548d8e9f2b4a84406b415a104ed0271ab

SHA256
33fd8cb203b730836f83d7586c705b063512563ba7dc47a8ec3f450421cec17d

SHA512
1ba6927dc414c30221afa7a06840b0dd8eeb7d60852561f100708df3d9d23e84c137d008a5c44e79bd166a4b3482909774a2342f4901ad1675f2c820df8609ec

Download Submit
C:\Windows\SysWOW64\Hjlaoioh.exe

Filesize
80KB

MD5
4a168317192ce74d3db3f90aedb20dc4

SHA1
ee97d53ec62c98cdd128d5d6e10e4426812e4b94

SHA256
04f91c386ef96dd6dad2605cdd4dbc148a75ed5d00eca7eed14161b7b147dccc

SHA512
f9b378032f32bd4c982445c29b3adf99fc906ad2ba871d8c46b1b9b3c8f901ff915099f6df5261299b0a58bf588807a4823a16382d17e61e64381f0a8aaadd96

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
80KB

MD5
1e314a87198b324e00680829fc767990

SHA1
af3adececd2f6aadafcf3ed40f3b7d6bc2786712

SHA256
966e8a1a7f3a1af0420a0a8173cbc846aedef2947db536831a2378c453c85580

SHA512
ae3d3a4079185a83ae92ae9d55d488bedfeaa3bf717fced5b948da0bc0ac920913ee0e4290aa1d814aef30a6a3658928a84ccee1136670ba39a309b06a1364ed

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
80KB

MD5
ab9ece1b22c38b2bb492876a3b2b88c7

SHA1
abf7ad93898181ebc2bd3aa307911b5814cbd32a

SHA256
0bbf137fa9ecb827c21387e83966b082d14077da85d68d870f5ff530c06c8860

SHA512
3e1ce8926d5822f2f72b9d5c03df52ee2555c60e6023ee196560560290e8ec4319b83407b53598b5891778f5bdc3ad4e8e411a86fbb9f0114f2265a1bceea027

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
80KB

MD5
05e95e46ea51bcea54725680f258ee37

SHA1
c1ecdf7267f50464a4c40f28ea701e65c1b48e65

SHA256
75bd8d16e6f30e11d65a93b8efb3cf54df1d420684798ded7c64533eadf8672c

SHA512
0e57c94ae068ca62acad7a8ee77ea0ffcaba15515c6f69988ed3b2c1c13b2bb74c90796fec522e252bc6238fbbaabe7703481ccb6d269e61f5d6b9e68f4f4d07

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
80KB

MD5
48a9e9b6ebd26ee42cf0ff9a1c111151

SHA1
2d35be92182dc1fee93b2ce02b94f469c393d014

SHA256
77d30cf51ace7264c3ada9acc8b93feee488ef496519519437a5199e06c4fe91

SHA512
0cb7074fa051c5c1acaa69dc5b25f3e8d5b884de3bc3e2b76d090cf4a5f2a6156605058c0c486df71229207da6f8db7740603a68d1fbbcdb6fd9b02203dbf99d

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
80KB

MD5
b3ed0e0c80170cb95d0a4e1621a19355

SHA1
9c62e1151357eb187d9fea5e0e513201cdaf3d68

SHA256
a0300204d7fcdc7d0078fc392a857c7295288843b73bf405f3f8f57e4eba19ae

SHA512
c7be91338be89901e519bcd1446736c1ca5ff1f3f9d81a0fff51e270a4a186ded6a8b39b777ad40805791020df010e014b41f0a30fb29d23023b0c713b45da1c

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
80KB

MD5
438f1b1db66d76197103fa606bb809db

SHA1
92e28a282056383045b5bffa849d54afc7a105e7

SHA256
aefc8f76701bd51aab362813d74583183fbe3721ac7bb75fddc7b1f9ea851782

SHA512
71bd7e596c1134707359a56ed81c4c57ce374650ef348ba21581feaa25b7bc0efdd0ca6af0f91256eb8f7a1e557e93d8d043412447723453374da07a709b7ba4

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
80KB

MD5
46a64a185f9254a6ae858ebbdbda7a2f

SHA1
2c0aace9e2ce92ee0fa3269d23660ba8d5c53fe9

SHA256
40fb0a389da6d7eb840549b5ed311c6cb94226aab13b35d9e09c2504afc49731

SHA512
525e6f6732713f4ac57e039cdaa29e1fca5aec8131943713aee933639e423b35a1f5268671b084c86e25c296312a5ff1c916f7d92f2a3408f63f0112210bd8a4

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
80KB

MD5
e079113fcfa056ce90e6fd8d03ea26c5

SHA1
25d5d5343d74cee8a548c8e8284820cdf163ed6b

SHA256
30db282afe0d6316ed01a5fb6b477be9a26d66b88953073b0ec03417d5ba2cf2

SHA512
209fcb1824e4275aa8a42030e824513e512a7519e851b3e84a1e70e58ebeb49073b7ae4ce6f95416bb29d6cd4b1c69d5fc86b601587df8f5c2b5051cc9367bbb

Download Submit
C:\Windows\SysWOW64\Jepbodhg.exe

Filesize
80KB

MD5
cad5978be3893a2d3f00d46d343de2c3

SHA1
fef45e640043442abffa7001e805ea0a5d0751b2

SHA256
c847f0f91115133075e415a79d924a7533b55aeb4c3a730ff0424cbfb2b9ed77

SHA512
e572da0e2e93e3f57f313c2c7a458905c8bf272d5cc25ae4ad0f02e8fa62c00166cb20f34f8ea0258c505116c73b94096f7f7a0fc833828d7782117f0d0551e1

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
80KB

MD5
861d4f14846ed242713e8eb98d713eb8

SHA1
868afafa95eb53f45671301949219afe6e6d065e

SHA256
48e464c46959d4aca68024b8e58feff41339c99e175dcee03f0d8fb7d737b294

SHA512
581d62cb2fb07414de12f0fc68e7487bf2d74cb39d98f231b3407f2f400ff7a14eb7b4ae84ef1ff75b795b635b21cbba3df1314eeb8d505da8b680a795bd75f7

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
80KB

MD5
c408356c89b938019716330b2bc76a84

SHA1
6ddfbfafe07eed4df31a530fcf4a14c512b7424f

SHA256
49ce27b3495cb72e279f525ae0860fa4c70b9f05f9b6eb215abd5af23fd70908

SHA512
9ae7a7edd074040ffa3621543b3acccdf67664ac46e11f07e635c2761e672544453c4490cb3baa55c20542ddfe43887a9da68f646eebf22adc868d2dff1b3aea

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
80KB

MD5
cbdb5ebb11282386ea3fd48233ae4f47

SHA1
dadfe2b42ef227378a08b8175e52844d7bed6f2d

SHA256
1333f9b23365dfea7cf7d94f6d7b50ea7da0d42df62c91798edc593371b5cdcd

SHA512
0a7de7660710ebafd0992803e6c74479ace180eb682b9279c04c8458871c205d49e90099a4dc691b5e32c511c20374880afc5606dd031c7404cbd8c042ae9a7d

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
80KB

MD5
5117c6f0e2b030ba3aad7706d130e475

SHA1
1267d465e9ebd3e413f764e09e1b0319c101d4c0

SHA256
0ffd9d99a1128d46abee4a7f503b2911c3cb069cdcef066fb6dcf32bfebb35bb

SHA512
ae9a974f068d738446388b0bb551c89bab41dc4598edb2885981de008f28c54fd848e3f944ff8f28db205438f8cb85c69f4b1953a29bfab8aa2912f7a4fa8cb2

Download Submit
C:\Windows\SysWOW64\Khhaanop.exe

Filesize
80KB

MD5
807b94a71e4ef0ad4948d8fcca28e90f

SHA1
6ed2299d8dc9d99d5f4aba9e46a03603c6638ae7

SHA256
8f7a414e7a742f6aea6b976e7de51bfb20510e7b1ab8ad543a29edcbf796fffb

SHA512
238878c31d360b91ca5eb038d28bd1ee48f5ff9d7544ad14cd137bc918d0c0bbe40ea326df4c3cebdf0926f360ee2765980c327c9c138d100e3c0eb43354c716

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
80KB

MD5
6b62a3daa7b1a25b9f9b3784e5a05de4

SHA1
2327119b3abb817608144680cf9252a7fc75e39d

SHA256
fef97edf0b187fcc002b4939ff5de831971f0e5efda84d5bdea78b8bc34b00a7

SHA512
ff7e73f4f59f5ec72a2660368e933ce40fd971414c384272c0aadf8ec4bfc743a80f507152f2a0a1bf3dc41b03c6f8f4f51cf90636c779c1773881c37140972a

Download Submit
C:\Windows\SysWOW64\Khimhefk.exe

Filesize
80KB

MD5
ff03cc1175d71cfbb2bbf0b6d7ff2af9

SHA1
4483886d4df2d6c0a608ecff7e1c322aa492d7a9

SHA256
b63d565168fd0d5ce9a78d622ff5d71757ed4ee74db5353a3d856c5b14e46d43

SHA512
f2c9b1b6fcbb47df7b5e5e0ef7bf7b2499108872d7d4dc1e2b357f83c18ceed42680eb33e9e92936934c65d7624440b86d8499b5874ca67dbb5fa63f7a14b310

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
80KB

MD5
b99cbaadc86f29f9c51c1ca9945eb95a

SHA1
7c06683d632aa0767d72111daafaabea3bfe173d

SHA256
f89842e6841ef770a898179f4fc3ed98b2e98be4244bf55604577138c624bcc1

SHA512
9744b615ce6bf16e0161f134ce3a874907a6213ff3a7e18e5b06aeef6ea0945acdb09d68e938d736bda415b7e9f4a310ec58cbda882caac358fbce1ea198d79e

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
80KB

MD5
e1b6f4643b8e77262376b701130008ff

SHA1
eabf349a9fd8241f535a5af89bcdeb936daadb59

SHA256
f833d8886678ae0f56460d39cc9679bc6a310ba21dccf770be896fa217b9a1fe

SHA512
fa0e51e9bfd770b176a36425e2e0f77877a00457630e91979cb85869550fa7eab156ca2dc6857aa8e88dc33aabaa78aba8c3335cb52989251a45062f81d66b1c

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
80KB

MD5
724d872997af489a8ebe6db522c47bce

SHA1
26850c4930a0843ad63bf263184970d1ef68f227

SHA256
38303ebfe8f1c614a6aae2240421752fbe9dd7035ec4f6684d1915d9f704214c

SHA512
26a842ffbfb8448531bb5fb650e981861f5192c72a5cbd53074f7abdcdd278207acbbfde34e905694c97847a357a3640b648b88397aa107f11241cc129cbb2bd

Download Submit
C:\Windows\SysWOW64\Mdaqhf32.exe

Filesize
80KB

MD5
74776af21b6600dcb8280cbdaebbc285

SHA1
01a340fb4d695c312d86668f4f8ea9c8b7b2321d

SHA256
a05dbd138222bbf93f5933129eeb61c5ba007fd82f83f15bea639ccb2b042f85

SHA512
b017e75c6631dee34d606ec491661e11a1de0a30ac3b35c833a6bdaf8918c08ab6735f45ec1d1a1e2a38fbf1008ebe48595071aa491738590eee747444a0b520

Download Submit
C:\Windows\SysWOW64\Mdjjgggk.exe

Filesize
80KB

MD5
8b1054cce09aa7371424948198ae1577

SHA1
51558979b7aaeef25596e5dcaceea48c65654491

SHA256
27c464d5f39463e72a8aa6310b71d36590b3f88091cc9b0057f47648b6f77505

SHA512
b9ca5193e1e3591eab454b56bedfa4004c8cd5560215cf51b3f7369cbada2d1ee12949ab04f878d00bed871c7bbead9c33955bee84bc18c9f566dae53617648a

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
80KB

MD5
f636537347c6bb5e1fd48d06d8df56b2

SHA1
35244c4e88e916e819564890cf8a5f38dcfa2a99

SHA256
345c9f28e612a0245f03045e87339a659f135c88b22fdc717521263a7452b53d

SHA512
da73a64c6839d0b7abecfcbfc594da87cffb912efe698b8bfb8ebd67fc8aba29d9cf7fd8de9d0c680b396f1c29d6da44fbecedba7c2a3cbe3ad929d09a3428b3

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
80KB

MD5
886145a2b4bf9d81fcbee31916dcb3d4

SHA1
42001bd498bdc012aef33d0edb1537a882e0ed8a

SHA256
e715c5f390971dbcd90909d7fc0ea32927176589ebd6f36919c3f4899c57e208

SHA512
b6322b5ddbe2982c7b61ea9ac8053c8eedcaa15aec41e671b41a92f07c07a27c2b8a35828be54ec82f543c2c12638d838d9693e1348ee994e5ca167f15857b5d

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
80KB

MD5
bd376a053a7bdada9ef6b0a32bced604

SHA1
9ae63eebac62aeab583b5def99a90b13c13a38bf

SHA256
a3765f6484215396b7c210e0d0f8df5b9c99f7a39d7e7abdb96786eb402e3da2

SHA512
6f19257bfd0e9f37f822f6faa205b562b91982ba3bd28e9c5bcac789f65c03c19419c1f1026e586f3d27b9ecbc13e146ecff9145d0f17ac4531439754ed769c8

Download Submit
C:\Windows\SysWOW64\Oeamcmmo.exe

Filesize
80KB

MD5
5af988b6abac9e0f88cbc27711e7f8ba

SHA1
15de442a22a4310b85fad17334108f3ae99ca31c

SHA256
1cbf9da6d068db365816d60b844df6a0de14211595b35404d0a285e1d82e8a52

SHA512
db901bcf1961366b786b5e1fa31daba86c91b67c79195b026c84a93a98e88c2001737b39d2791ca8dd44cb705ea61fc4ddbeb54da156014f8bcb15317bec0b2d

Download Submit
C:\Windows\SysWOW64\Pfmlok32.exe

Filesize
80KB

MD5
d429ffdadab2d7f711e0e883b1bb4f8f

SHA1
90b1babd700797fb6e2b4763691fb779b9d920b2

SHA256
a63bfbca8a45660713c2a5cd45174e7ffd834c8e539bd1ff59a3dffb53249126

SHA512
f438c2af1cfe69485ee8923692baba6a69591f827796ec48cfcd996c8575ce64d6c0d69ed8c0fef31cddfafb9807eef733dab292f008f1f33ae929e960bc1dbc

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
80KB

MD5
8db93812a53dde2d4d68edda7f026410

SHA1
67b68b8fe2fac8ab7a32b2418df1bb2b0ceb402c

SHA256
35eeba589f87499b45be2f6360d823e1e5541486cee8a596c172836e0e0244ec

SHA512
b525fe9e2e133c0b10a8860c0de78e5ed05570245f48d876665f966072c6c5afcae4401a43f57082e3f9a3572872e55fd32b18c111df4f19bba9617cb904692c

Download Submit
memory/216-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/556-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/960-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1192-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3780-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4124-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4164-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads