bd3fc8b00ff91b51dba492c66eff0260af788b5b6d179a4a04278bc9a8189a9d

Analysis

max time kernel
156s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 02:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00b20c9489e1dad5f071b2821525320c.exe
Size

182KB
MD5

00b20c9489e1dad5f071b2821525320c
SHA1

644829c641427e0b9a415c5abfab582d9aae476f
SHA256

bd3fc8b00ff91b51dba492c66eff0260af788b5b6d179a4a04278bc9a8189a9d
SHA512

00c36a0407159315788e5debf8bd00e39a308f5582c363fe1d48ade2ebcf02b160923d3efcb7b8efba235bfebec351d68e721c78b5237da9313787c970a2d001
SSDEEP

1536:eI7oTebXFXFqgFHcaI4JYLSDB53eujWhSY2c1H/n1LzXm6HZQhM895T87vOA1dd6:KTeJbI4kSr3wRj1LaNDHTQdmlZdoIb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjaci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpdcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcfggkac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biigildg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agiahlkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akjgdjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkgje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeddlco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhpge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkelplc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giecfejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojefobm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npadcfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqdbfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Canocm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefjii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iohejo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaekqhh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamipe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkkhnpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeddlco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffceip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emmdom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgihaji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anhcpeon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilcol32.exe

Executes dropped EXE 64 IoCs

pid	Process
3536	Pdmkhgho.exe
4060	Pocpfphe.exe
4120	Qaalblgi.exe
5056	Qhkdof32.exe
4896	Qdbdcg32.exe
3876	Aafemk32.exe
5012	Ahpmjejp.exe
3112	Aojefobm.exe
1856	Aednci32.exe
3784	Alnfpcag.exe
3720	Aefjii32.exe
4164	Aonoao32.exe
5080	Adkgje32.exe
4064	Aoalgn32.exe
2596	Ahippdbe.exe
1076	Bochmn32.exe
2644	Bemqih32.exe
1352	Bkjiao32.exe
1312	Bdbnjdfg.exe
1764	Bnkbcj32.exe
3328	Bhpfqcln.exe
4908	Bojomm32.exe
3608	Ckclhn32.exe
4196	Camddhoi.exe
4688	Clchbqoo.exe
552	Cfkmkf32.exe
4612	Cleegp32.exe
3292	Cbbnpg32.exe
1392	Clgbmp32.exe
2896	Cfpffeaj.exe
2620	Cljobphg.exe
1816	Cfbcke32.exe
1096	Dmlkhofd.exe
4048	Dbicpfdk.exe
4812	Dmohno32.exe
3096	Domdjj32.exe
1460	Ddjmba32.exe
2732	Dkceokii.exe
3652	Dfiildio.exe
4132	Dkfadkgf.exe
3612	Dbpjaeoc.exe
3868	Dmennnni.exe
1756	Dngjff32.exe
3976	Deqcbpld.exe
5016	Eiokinbk.exe
960	Eoideh32.exe
1276	Efblbbqd.exe
4072	Emmdom32.exe
4940	Ebimgcfi.exe
792	Eicedn32.exe
1820	Epmmqheb.exe
3392	Eblimcdf.exe
2100	Emanjldl.exe
4596	Ebnfbcbc.exe
2652	Fihnomjp.exe
3604	Fpbflg32.exe
5032	Fbpchb32.exe
2056	Fijkdmhn.exe
5140	Fpdcag32.exe
5180	Fbbpmb32.exe
5224	Fimhjl32.exe
5264	Flkdfh32.exe
5312	Fbelcblk.exe
5352	Fechomko.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npefkf32.dll	Ckclhn32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Gbchdp32.exe	Glipgf32.exe
File created	C:\Windows\SysWOW64\Gifjfmcq.dll	Jilfifme.exe
File created	C:\Windows\SysWOW64\Ncchae32.exe	Nadleilm.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Eohmkb32.exe	Egaejeej.exe
File created	C:\Windows\SysWOW64\Nplkhf32.exe	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Iepaaico.exe	Ibaeen32.exe
File created	C:\Windows\SysWOW64\Badjai32.dll	Foapaa32.exe
File created	C:\Windows\SysWOW64\Gdiaha32.dll	Pgnblm32.exe
File opened for modification	C:\Windows\SysWOW64\Anffje32.exe	Akgjnj32.exe
File created	C:\Windows\SysWOW64\Agqhik32.exe	Ahngmnnd.exe
File created	C:\Windows\SysWOW64\Ebimgcfi.exe	Emmdom32.exe
File opened for modification	C:\Windows\SysWOW64\Ickglm32.exe	Imnocf32.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Mgloefco.exe
File created	C:\Windows\SysWOW64\Mmpmnl32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Iijfhbhl.exe	Ibqnkh32.exe
File created	C:\Windows\SysWOW64\Qaalblgi.exe	Pocpfphe.exe
File created	C:\Windows\SysWOW64\Nmqmbmdf.dll	Fihnomjp.exe
File created	C:\Windows\SysWOW64\Fimhjl32.exe	Fbbpmb32.exe
File created	C:\Windows\SysWOW64\Fbgihaji.exe	Flmqlg32.exe
File created	C:\Windows\SysWOW64\Gbalopbn.exe	Glgcbf32.exe
File opened for modification	C:\Windows\SysWOW64\Igajal32.exe	Ibfnqmpf.exe
File created	C:\Windows\SysWOW64\Abmcod32.dll	Ckcbaf32.exe
File created	C:\Windows\SysWOW64\Qhkdof32.exe	Qaalblgi.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Bgbpaipl.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Fihgkk32.dll	Lmdnbn32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Hcbpme32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Clbbjg32.dll	Aqilaplo.exe
File created	C:\Windows\SysWOW64\Fimgpahk.dll	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Hiaafn32.dll	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Jobfelii.dll	Jljbeali.exe
File created	C:\Windows\SysWOW64\Appfnncn.dll	Kpmdfonj.exe
File opened for modification	C:\Windows\SysWOW64\Qpcecb32.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Oifoah32.dll	Edbiniff.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Iijfhbhl.exe
File opened for modification	C:\Windows\SysWOW64\Pahpee32.exe	Pknghk32.exe
File created	C:\Windows\SysWOW64\Dkfadkgf.exe	Dfiildio.exe
File opened for modification	C:\Windows\SysWOW64\Eiokinbk.exe	Deqcbpld.exe
File created	C:\Windows\SysWOW64\Pjjaci32.exe	Pdmikb32.exe
File opened for modification	C:\Windows\SysWOW64\Dbpjaeoc.exe	Dkfadkgf.exe
File created	C:\Windows\SysWOW64\Ghjnkpdc.dll	Gbalopbn.exe
File created	C:\Windows\SysWOW64\Jphkkpbp.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Bgqoll32.dll	Ljceqb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Dbpjaeoc.exe	Dkfadkgf.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Ajhndgjj.exe	Agiahlkf.exe
File created	C:\Windows\SysWOW64\Ohofdmkm.dll	Ebnfbcbc.exe
File created	C:\Windows\SysWOW64\Holfoqcm.exe	Hmkigh32.exe
File created	C:\Windows\SysWOW64\Hfcnpn32.exe	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Impliekg.exe	Ickglm32.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Mqfpckhm.exe
File opened for modification	C:\Windows\SysWOW64\Oacmchcl.exe	Okiefn32.exe
File opened for modification	C:\Windows\SysWOW64\Aojefobm.exe	Ahpmjejp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7336	9492	WerFault.exe	503

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggmmlamj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfeaopqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blmjdmok.dll"	Bnaffdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnpbgajc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmkhgho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaae32.dll"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oacmchcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anhcpeon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfgkjnai.dll"	Nplkhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll"	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cljobphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkceokii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cicjokll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilcol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dabhomea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadggj32.dll"	Aojefobm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deqcbpld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmbbodp.dll"	Akgjnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckqbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Decmjjie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbdcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imnocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqpbboeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebdcmhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbbnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpedjnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3536	4380	00b20c9489e1dad5f071b2821525320c.exe	399
PID 4380 wrote to memory of 3536	4380	00b20c9489e1dad5f071b2821525320c.exe	399
PID 4380 wrote to memory of 3536	4380	00b20c9489e1dad5f071b2821525320c.exe	399
PID 3536 wrote to memory of 4060	3536	Pdmkhgho.exe	397
PID 3536 wrote to memory of 4060	3536	Pdmkhgho.exe	397
PID 3536 wrote to memory of 4060	3536	Pdmkhgho.exe	397
PID 4060 wrote to memory of 4120	4060	Pocpfphe.exe	89
PID 4060 wrote to memory of 4120	4060	Pocpfphe.exe	89
PID 4060 wrote to memory of 4120	4060	Pocpfphe.exe	89
PID 4120 wrote to memory of 5056	4120	Qaalblgi.exe	90
PID 4120 wrote to memory of 5056	4120	Qaalblgi.exe	90
PID 4120 wrote to memory of 5056	4120	Qaalblgi.exe	90
PID 5056 wrote to memory of 4896	5056	Qhkdof32.exe	396
PID 5056 wrote to memory of 4896	5056	Qhkdof32.exe	396
PID 5056 wrote to memory of 4896	5056	Qhkdof32.exe	396
PID 4896 wrote to memory of 3876	4896	Qdbdcg32.exe	395
PID 4896 wrote to memory of 3876	4896	Qdbdcg32.exe	395
PID 4896 wrote to memory of 3876	4896	Qdbdcg32.exe	395
PID 3876 wrote to memory of 5012	3876	Aafemk32.exe	91
PID 3876 wrote to memory of 5012	3876	Aafemk32.exe	91
PID 3876 wrote to memory of 5012	3876	Aafemk32.exe	91
PID 5012 wrote to memory of 3112	5012	Ahpmjejp.exe	394
PID 5012 wrote to memory of 3112	5012	Ahpmjejp.exe	394
PID 5012 wrote to memory of 3112	5012	Ahpmjejp.exe	394
PID 3112 wrote to memory of 1856	3112	Aojefobm.exe	92
PID 3112 wrote to memory of 1856	3112	Aojefobm.exe	92
PID 3112 wrote to memory of 1856	3112	Aojefobm.exe	92
PID 1856 wrote to memory of 3784	1856	Aednci32.exe	393
PID 1856 wrote to memory of 3784	1856	Aednci32.exe	393
PID 1856 wrote to memory of 3784	1856	Aednci32.exe	393
PID 3784 wrote to memory of 3720	3784	Alnfpcag.exe	392
PID 3784 wrote to memory of 3720	3784	Alnfpcag.exe	392
PID 3784 wrote to memory of 3720	3784	Alnfpcag.exe	392
PID 3720 wrote to memory of 4164	3720	Aefjii32.exe	391
PID 3720 wrote to memory of 4164	3720	Aefjii32.exe	391
PID 3720 wrote to memory of 4164	3720	Aefjii32.exe	391
PID 4164 wrote to memory of 5080	4164	Aonoao32.exe	390
PID 4164 wrote to memory of 5080	4164	Aonoao32.exe	390
PID 4164 wrote to memory of 5080	4164	Aonoao32.exe	390
PID 5080 wrote to memory of 4064	5080	Adkgje32.exe	389
PID 5080 wrote to memory of 4064	5080	Adkgje32.exe	389
PID 5080 wrote to memory of 4064	5080	Adkgje32.exe	389
PID 4064 wrote to memory of 2596	4064	Aoalgn32.exe	388
PID 4064 wrote to memory of 2596	4064	Aoalgn32.exe	388
PID 4064 wrote to memory of 2596	4064	Aoalgn32.exe	388
PID 2596 wrote to memory of 1076	2596	Ahippdbe.exe	387
PID 2596 wrote to memory of 1076	2596	Ahippdbe.exe	387
PID 2596 wrote to memory of 1076	2596	Ahippdbe.exe	387
PID 1076 wrote to memory of 2644	1076	Bochmn32.exe	386
PID 1076 wrote to memory of 2644	1076	Bochmn32.exe	386
PID 1076 wrote to memory of 2644	1076	Bochmn32.exe	386
PID 2644 wrote to memory of 1352	2644	Bemqih32.exe	385
PID 2644 wrote to memory of 1352	2644	Bemqih32.exe	385
PID 2644 wrote to memory of 1352	2644	Bemqih32.exe	385
PID 1352 wrote to memory of 1312	1352	Bkjiao32.exe	384
PID 1352 wrote to memory of 1312	1352	Bkjiao32.exe	384
PID 1352 wrote to memory of 1312	1352	Bkjiao32.exe	384
PID 1312 wrote to memory of 1764	1312	Bdbnjdfg.exe	383
PID 1312 wrote to memory of 1764	1312	Bdbnjdfg.exe	383
PID 1312 wrote to memory of 1764	1312	Bdbnjdfg.exe	383
PID 1764 wrote to memory of 3328	1764	Bnkbcj32.exe	93
PID 1764 wrote to memory of 3328	1764	Bnkbcj32.exe	93
PID 1764 wrote to memory of 3328	1764	Bnkbcj32.exe	93
PID 3328 wrote to memory of 4908	3328	Bhpfqcln.exe	382

C:\Users\Admin\AppData\Local\Temp\00b20c9489e1dad5f071b2821525320c.exe
"C:\Users\Admin\AppData\Local\Temp\00b20c9489e1dad5f071b2821525320c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\Pdmkhgho.exe
  C:\Windows\system32\Pdmkhgho.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3536

C:\Windows\SysWOW64\Qaalblgi.exe
C:\Windows\system32\Qaalblgi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\Qhkdof32.exe
  C:\Windows\system32\Qhkdof32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\Qdbdcg32.exe
    C:\Windows\system32\Qdbdcg32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4896

C:\Windows\SysWOW64\Ahpmjejp.exe
C:\Windows\system32\Ahpmjejp.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\Aojefobm.exe
  C:\Windows\system32\Aojefobm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3112

C:\Windows\SysWOW64\Aednci32.exe
C:\Windows\system32\Aednci32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\Alnfpcag.exe
  C:\Windows\system32\Alnfpcag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3784

C:\Windows\SysWOW64\Bhpfqcln.exe
C:\Windows\system32\Bhpfqcln.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\Bojomm32.exe
  C:\Windows\system32\Bojomm32.exe
  2⤵
  - Executes dropped EXE
  PID:4908

C:\Windows\SysWOW64\Clchbqoo.exe
C:\Windows\system32\Clchbqoo.exe
1⤵
- Executes dropped EXE
PID:4688
- C:\Windows\SysWOW64\Cfkmkf32.exe
  C:\Windows\system32\Cfkmkf32.exe
  2⤵
  - Executes dropped EXE
  PID:552

C:\Windows\SysWOW64\Clgbmp32.exe
C:\Windows\system32\Clgbmp32.exe
1⤵
- Executes dropped EXE
PID:1392
- C:\Windows\SysWOW64\Cfpffeaj.exe
  C:\Windows\system32\Cfpffeaj.exe
  2⤵
  - Executes dropped EXE
  PID:2896

C:\Windows\SysWOW64\Dmohno32.exe
C:\Windows\system32\Dmohno32.exe
1⤵
- Executes dropped EXE
PID:4812
- C:\Windows\SysWOW64\Domdjj32.exe
  C:\Windows\system32\Domdjj32.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- - C:\Windows\SysWOW64\Ddjmba32.exe
    C:\Windows\system32\Ddjmba32.exe
    3⤵
    - Executes dropped EXE
    PID:1460
  - - C:\Windows\SysWOW64\Dkceokii.exe
      C:\Windows\system32\Dkceokii.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:2732
    - - C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
      - C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        7⤵
        Executes dropped EXE
        
        PID:3612

C:\Windows\SysWOW64\Dmennnni.exe
C:\Windows\system32\Dmennnni.exe
1⤵
- Executes dropped EXE
PID:3868
- C:\Windows\SysWOW64\Dngjff32.exe
  C:\Windows\system32\Dngjff32.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- - C:\Windows\SysWOW64\Deqcbpld.exe
    C:\Windows\system32\Deqcbpld.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:3976
  - - C:\Windows\SysWOW64\Eiokinbk.exe
      C:\Windows\system32\Eiokinbk.exe
      4⤵
      Executes dropped EXE
      PID:5016
    - - C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        5⤵
        Executes dropped EXE
        
        PID:960

C:\Windows\SysWOW64\Eblimcdf.exe
C:\Windows\system32\Eblimcdf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3392
- C:\Windows\SysWOW64\Emanjldl.exe
  C:\Windows\system32\Emanjldl.exe
  2⤵
  - Executes dropped EXE
  PID:2100

C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596
- C:\Windows\SysWOW64\Fihnomjp.exe
  C:\Windows\system32\Fihnomjp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2652
- - C:\Windows\SysWOW64\Fpbflg32.exe
    C:\Windows\system32\Fpbflg32.exe
    3⤵
    - Executes dropped EXE
    PID:3604

C:\Windows\SysWOW64\Fbbpmb32.exe
C:\Windows\system32\Fbbpmb32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5180
- C:\Windows\SysWOW64\Fimhjl32.exe
  C:\Windows\system32\Fimhjl32.exe
  2⤵
  - Executes dropped EXE
  PID:5224

C:\Windows\SysWOW64\Fechomko.exe
C:\Windows\system32\Fechomko.exe
1⤵
- Executes dropped EXE
PID:5352
- C:\Windows\SysWOW64\Flmqlg32.exe
  C:\Windows\system32\Flmqlg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:5400
- - C:\Windows\SysWOW64\Fbgihaji.exe
    C:\Windows\system32\Fbgihaji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:5452
  - - C:\Windows\SysWOW64\Ffceip32.exe
      C:\Windows\system32\Ffceip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5496
    - - C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
      - C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        6⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        7⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        8⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        9⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        10⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        11⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816

C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5860
- C:\Windows\SysWOW64\Gflhoo32.exe
  C:\Windows\system32\Gflhoo32.exe
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\Glipgf32.exe
    C:\Windows\system32\Glipgf32.exe
    3⤵
    - Drops file in System32 directory
    PID:5940
  - - C:\Windows\SysWOW64\Gbchdp32.exe
      C:\Windows\system32\Gbchdp32.exe
      4⤵
      PID:5980
    - - C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        5⤵
        Modifies registry class
        
        PID:6020
      - C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060

C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
1⤵
PID:6108
- C:\Windows\SysWOW64\Hedafk32.exe
  C:\Windows\system32\Hedafk32.exe
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\Hmkigh32.exe
    C:\Windows\system32\Hmkigh32.exe
    3⤵
    - Drops file in System32 directory
    PID:5216
  - - C:\Windows\SysWOW64\Holfoqcm.exe
      C:\Windows\system32\Holfoqcm.exe
      4⤵
      Drops file in System32 directory
      PID:5344
    - - C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        5⤵
        
        PID:5412
      - C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        6⤵
        
        PID:5520

C:\Windows\SysWOW64\Hlpfhe32.exe
C:\Windows\system32\Hlpfhe32.exe
1⤵
- Modifies registry class
PID:5600
- C:\Windows\SysWOW64\Hoobdp32.exe
  C:\Windows\system32\Hoobdp32.exe
  2⤵
  - Modifies registry class
  PID:5672

C:\Windows\SysWOW64\Hffken32.exe
C:\Windows\system32\Hffken32.exe
1⤵
PID:5732
- C:\Windows\SysWOW64\Hmpcbhji.exe
  C:\Windows\system32\Hmpcbhji.exe
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\Hlglidlo.exe
    C:\Windows\system32\Hlglidlo.exe
    3⤵
    PID:5884

C:\Windows\SysWOW64\Fbelcblk.exe
C:\Windows\system32\Fbelcblk.exe
1⤵
- Executes dropped EXE
PID:5312

C:\Windows\SysWOW64\Hpchib32.exe
C:\Windows\system32\Hpchib32.exe
1⤵
PID:5948
- C:\Windows\SysWOW64\Ibaeen32.exe
  C:\Windows\system32\Ibaeen32.exe
  2⤵
  - Drops file in System32 directory
  PID:6028

C:\Windows\SysWOW64\Iepaaico.exe
C:\Windows\system32\Iepaaico.exe
1⤵
PID:6100
- C:\Windows\SysWOW64\Imgicgca.exe
  C:\Windows\system32\Imgicgca.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:5132
- - C:\Windows\SysWOW64\Iohejo32.exe
    C:\Windows\system32\Iohejo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:5320

C:\Windows\SysWOW64\Ifomll32.exe
C:\Windows\system32\Ifomll32.exe
1⤵
PID:5444
- C:\Windows\SysWOW64\Iebngial.exe
  C:\Windows\system32\Iebngial.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5596
- - C:\Windows\SysWOW64\Ipgbdbqb.exe
    C:\Windows\system32\Ipgbdbqb.exe
    3⤵
    PID:5704
  - - C:\Windows\SysWOW64\Ibfnqmpf.exe
      C:\Windows\system32\Ibfnqmpf.exe
      4⤵
      Drops file in System32 directory
      PID:3988
    - - C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        5⤵
        Modifies registry class
        
        PID:5928
      - C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        6⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        7⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        10⤵
        
        PID:5760

C:\Windows\SysWOW64\Joahqn32.exe
C:\Windows\system32\Joahqn32.exe
1⤵
PID:5896
- C:\Windows\SysWOW64\Jekqmhia.exe
  C:\Windows\system32\Jekqmhia.exe
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\Jiglnf32.exe
    C:\Windows\system32\Jiglnf32.exe
    3⤵
    PID:5488
  - - C:\Windows\SysWOW64\Jpaekqhh.exe
      C:\Windows\system32\Jpaekqhh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5808

C:\Windows\SysWOW64\Jcoaglhk.exe
C:\Windows\system32\Jcoaglhk.exe
1⤵
PID:6104
- C:\Windows\SysWOW64\Jenmcggo.exe
  C:\Windows\system32\Jenmcggo.exe
  2⤵
  - Modifies registry class
  PID:5720
- - C:\Windows\SysWOW64\Jiiicf32.exe
    C:\Windows\system32\Jiiicf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:5304
  - - C:\Windows\SysWOW64\Jcanll32.exe
      C:\Windows\system32\Jcanll32.exe
      4⤵
      PID:6088
    - - C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        5⤵
        Drops file in System32 directory
        
        PID:6148
      - C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        6⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        7⤵
        
        PID:6236

C:\Windows\SysWOW64\Jgpfbjlo.exe
C:\Windows\system32\Jgpfbjlo.exe
1⤵
PID:6280
- C:\Windows\SysWOW64\Jniood32.exe
  C:\Windows\system32\Jniood32.exe
  2⤵
  - Drops file in System32 directory
  PID:6324
- - C:\Windows\SysWOW64\Jphkkpbp.exe
    C:\Windows\system32\Jphkkpbp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6368
  - - C:\Windows\SysWOW64\Jcfggkac.exe
      C:\Windows\system32\Jcfggkac.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6408
    - - C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        5⤵
        
        PID:6456

C:\Windows\SysWOW64\Jlolpq32.exe
C:\Windows\system32\Jlolpq32.exe
1⤵
PID:6496
- C:\Windows\SysWOW64\Komhll32.exe
  C:\Windows\system32\Komhll32.exe
  2⤵
  PID:6548
- - C:\Windows\SysWOW64\Kegpifod.exe
    C:\Windows\system32\Kegpifod.exe
    3⤵
    PID:6592

C:\Windows\SysWOW64\Knnhjcog.exe
C:\Windows\system32\Knnhjcog.exe
1⤵
PID:6632
- C:\Windows\SysWOW64\Kpmdfonj.exe
  C:\Windows\system32\Kpmdfonj.exe
  2⤵
  - Drops file in System32 directory
  PID:6680
- - C:\Windows\SysWOW64\Kckqbj32.exe
    C:\Windows\system32\Kckqbj32.exe
    3⤵
    - Modifies registry class
    PID:6724
  - - C:\Windows\SysWOW64\Kjeiodek.exe
      C:\Windows\system32\Kjeiodek.exe
      4⤵
      PID:6768

C:\Windows\SysWOW64\Klcekpdo.exe
C:\Windows\system32\Klcekpdo.exe
1⤵
PID:6808
- C:\Windows\SysWOW64\Koaagkcb.exe
  C:\Windows\system32\Koaagkcb.exe
  2⤵
  PID:6856
- - C:\Windows\SysWOW64\Kgiiiidd.exe
    C:\Windows\system32\Kgiiiidd.exe
    3⤵
    PID:6896

C:\Windows\SysWOW64\Kjgeedch.exe
C:\Windows\system32\Kjgeedch.exe
1⤵
- Modifies registry class
PID:6940
- C:\Windows\SysWOW64\Klfaapbl.exe
  C:\Windows\system32\Klfaapbl.exe
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\Kcpjnjii.exe
    C:\Windows\system32\Kcpjnjii.exe
    3⤵
    PID:7032
  - - C:\Windows\SysWOW64\Kgnbdh32.exe
      C:\Windows\system32\Kgnbdh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      Modifies registry class
      PID:7076

C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
1⤵
PID:7116
- C:\Windows\SysWOW64\Lpfgmnfp.exe
  C:\Windows\system32\Lpfgmnfp.exe
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\Lgpoihnl.exe
    C:\Windows\system32\Lgpoihnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6172
  - - C:\Windows\SysWOW64\Ljnlecmp.exe
      C:\Windows\system32\Ljnlecmp.exe
      4⤵
      Modifies registry class
      PID:6248

C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
1⤵
PID:6316
- C:\Windows\SysWOW64\Lokdnjkg.exe
  C:\Windows\system32\Lokdnjkg.exe
  2⤵
  PID:6400
- - C:\Windows\SysWOW64\Lgbloglj.exe
    C:\Windows\system32\Lgbloglj.exe
    3⤵
    - Modifies registry class
    PID:6440

C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
1⤵
PID:6536
- C:\Windows\SysWOW64\Lomqcjie.exe
  C:\Windows\system32\Lomqcjie.exe
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\Lgdidgjg.exe
    C:\Windows\system32\Lgdidgjg.exe
    3⤵
    PID:6664

C:\Windows\SysWOW64\Ljceqb32.exe
C:\Windows\system32\Ljceqb32.exe
1⤵
- Drops file in System32 directory
PID:6712
- C:\Windows\SysWOW64\Lmaamn32.exe
  C:\Windows\system32\Lmaamn32.exe
  2⤵
  PID:6796
- - C:\Windows\SysWOW64\Lopmii32.exe
    C:\Windows\system32\Lopmii32.exe
    3⤵
    PID:6884

C:\Windows\SysWOW64\Lfjfecno.exe
C:\Windows\system32\Lfjfecno.exe
1⤵
PID:7056
- C:\Windows\SysWOW64\Lmdnbn32.exe
  C:\Windows\system32\Lmdnbn32.exe
  2⤵
  - Drops file in System32 directory
  PID:7148

C:\Windows\SysWOW64\Lobjni32.exe
C:\Windows\system32\Lobjni32.exe
1⤵
PID:6200
- C:\Windows\SysWOW64\Ljhnlb32.exe
  C:\Windows\system32\Ljhnlb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3620
- - C:\Windows\SysWOW64\Modgdicm.exe
    C:\Windows\system32\Modgdicm.exe
    3⤵
    PID:6396
  - - C:\Windows\SysWOW64\Mgloefco.exe
      C:\Windows\system32\Mgloefco.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:6540
    - - C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        5⤵
        
        PID:6640
      - C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        6⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        9⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        10⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        11⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        12⤵
        Drops file in System32 directory
        
        PID:6276

C:\Windows\SysWOW64\Mmpmnl32.exe
C:\Windows\system32\Mmpmnl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464
- C:\Windows\SysWOW64\Mqkiok32.exe
  C:\Windows\system32\Mqkiok32.exe
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\Mgeakekd.exe
    C:\Windows\system32\Mgeakekd.exe
    3⤵
    PID:6764
  - - C:\Windows\SysWOW64\Mjcngpjh.exe
      C:\Windows\system32\Mjcngpjh.exe
      4⤵
      PID:6928
    - - C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        5⤵
        Modifies registry class
        
        PID:7028
      - C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        6⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        7⤵
        
        PID:6392

C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
1⤵
- Modifies registry class
PID:6508
- C:\Windows\SysWOW64\Nqpcjj32.exe
  C:\Windows\system32\Nqpcjj32.exe
  2⤵
  PID:6888
- - C:\Windows\SysWOW64\Nflkbanj.exe
    C:\Windows\system32\Nflkbanj.exe
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\Nqbpojnp.exe
      C:\Windows\system32\Nqbpojnp.exe
      4⤵
      PID:7208
    - - C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        5⤵
        Drops file in System32 directory
        
        PID:7260

C:\Windows\SysWOW64\Nfohgqlg.exe
C:\Windows\system32\Nfohgqlg.exe
1⤵
PID:7304
- C:\Windows\SysWOW64\Nnfpinmi.exe
  C:\Windows\system32\Nnfpinmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7344
- - C:\Windows\SysWOW64\Nadleilm.exe
    C:\Windows\system32\Nadleilm.exe
    3⤵
    - Drops file in System32 directory
    PID:7384
  - - C:\Windows\SysWOW64\Ncchae32.exe
      C:\Windows\system32\Ncchae32.exe
      4⤵
      PID:7432

C:\Windows\SysWOW64\Nmkmjjaa.exe
C:\Windows\system32\Nmkmjjaa.exe
1⤵
PID:7508
- C:\Windows\SysWOW64\Nceefd32.exe
  C:\Windows\system32\Nceefd32.exe
  2⤵
  PID:7564

C:\Windows\SysWOW64\Njmqnobn.exe
C:\Windows\system32\Njmqnobn.exe
1⤵
PID:7472

C:\Windows\SysWOW64\Omnjojpo.exe
C:\Windows\system32\Omnjojpo.exe
1⤵
PID:7676
- C:\Windows\SysWOW64\Oplfkeob.exe
  C:\Windows\system32\Oplfkeob.exe
  2⤵
  - Modifies registry class
  PID:7724
- - C:\Windows\SysWOW64\Ojajin32.exe
    C:\Windows\system32\Ojajin32.exe
    3⤵
    - Modifies registry class
    PID:7768
  - - C:\Windows\SysWOW64\Ompfej32.exe
      C:\Windows\system32\Ompfej32.exe
      4⤵
      PID:7812
    - - C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        5⤵
        
        PID:7876

C:\Windows\SysWOW64\Oanokhdb.exe
C:\Windows\system32\Oanokhdb.exe
1⤵
PID:7932
- C:\Windows\SysWOW64\Oghghb32.exe
  C:\Windows\system32\Oghghb32.exe
  2⤵
  - Modifies registry class
  PID:8000

C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
1⤵
PID:8056
- C:\Windows\SysWOW64\Oaplqh32.exe
  C:\Windows\system32\Oaplqh32.exe
  2⤵
  PID:8108

C:\Windows\SysWOW64\Ogjdmbil.exe
C:\Windows\system32\Ogjdmbil.exe
1⤵
PID:8148
- C:\Windows\SysWOW64\Ojhpimhp.exe
  C:\Windows\system32\Ojhpimhp.exe
  2⤵
  - Drops file in System32 directory
  PID:8188
- - C:\Windows\SysWOW64\Omgmeigd.exe
    C:\Windows\system32\Omgmeigd.exe
    3⤵
    PID:6312
  - - C:\Windows\SysWOW64\Ohlqcagj.exe
      C:\Windows\system32\Ohlqcagj.exe
      4⤵
      Modifies registry class
      PID:6736
    - - C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        5⤵
        Modifies registry class
        
        PID:6904
      - C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        6⤵
        
        PID:7244

C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7368
- C:\Windows\SysWOW64\Pmlfqh32.exe
  C:\Windows\system32\Pmlfqh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7420
- - C:\Windows\SysWOW64\Ppjbmc32.exe
    C:\Windows\system32\Ppjbmc32.exe
    3⤵
    - Drops file in System32 directory
    PID:7520
  - - C:\Windows\SysWOW64\Pfdjinjo.exe
      C:\Windows\system32\Pfdjinjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:7600
    - - C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        5⤵
        
        PID:1180
      - C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        6⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        7⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        8⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        9⤵
        Modifies registry class
        
        PID:7944

C:\Windows\SysWOW64\Panhbfep.exe
C:\Windows\system32\Panhbfep.exe
1⤵
PID:8040
- C:\Windows\SysWOW64\Qhhpop32.exe
  C:\Windows\system32\Qhhpop32.exe
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\Qobhkjdi.exe
    C:\Windows\system32\Qobhkjdi.exe
    3⤵
    - Drops file in System32 directory
    PID:8172
  - - C:\Windows\SysWOW64\Qpcecb32.exe
      C:\Windows\system32\Qpcecb32.exe
      4⤵
      Modifies registry class
      PID:6800

C:\Windows\SysWOW64\Qfmmplad.exe
C:\Windows\system32\Qfmmplad.exe
1⤵
PID:3432
- C:\Windows\SysWOW64\Qodeajbg.exe
  C:\Windows\system32\Qodeajbg.exe
  2⤵
  PID:7288
- - C:\Windows\SysWOW64\Apjkcadp.exe
    C:\Windows\system32\Apjkcadp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:7396

C:\Windows\SysWOW64\Ahdpjn32.exe
C:\Windows\system32\Ahdpjn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7668
- C:\Windows\SysWOW64\Aonhghjl.exe
  C:\Windows\system32\Aonhghjl.exe
  2⤵
  PID:7744
- - C:\Windows\SysWOW64\Adkqoohc.exe
    C:\Windows\system32\Adkqoohc.exe
    3⤵
    PID:7824
  - - C:\Windows\SysWOW64\Akdilipp.exe
      C:\Windows\system32\Akdilipp.exe
      4⤵
      PID:8072
    - - C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        5⤵
        
        PID:8136

C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
1⤵
PID:7196
- C:\Windows\SysWOW64\Bkgeainn.exe
  C:\Windows\system32\Bkgeainn.exe
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\Bmeandma.exe
    C:\Windows\system32\Bmeandma.exe
    3⤵
    PID:7620

C:\Windows\SysWOW64\Bhkfkmmg.exe
C:\Windows\system32\Bhkfkmmg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8052
- C:\Windows\SysWOW64\Bkibgh32.exe
  C:\Windows\system32\Bkibgh32.exe
  2⤵
  - Drops file in System32 directory
  PID:6788

C:\Windows\SysWOW64\Bmhocd32.exe
C:\Windows\system32\Bmhocd32.exe
1⤵
- Drops file in System32 directory
PID:7296
- C:\Windows\SysWOW64\Bpfkpp32.exe
  C:\Windows\system32\Bpfkpp32.exe
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\Bgpcliao.exe
    C:\Windows\system32\Bgpcliao.exe
    3⤵
    - Modifies registry class
    PID:8132
  - - C:\Windows\SysWOW64\Bogkmgba.exe
      C:\Windows\system32\Bogkmgba.exe
      4⤵
      Drops file in System32 directory
      PID:7228
    - - C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        5⤵
        Drops file in System32 directory
        
        PID:7916

C:\Windows\SysWOW64\Bgbpaipl.exe
C:\Windows\system32\Bgbpaipl.exe
1⤵
PID:7172
- C:\Windows\SysWOW64\Bahdob32.exe
  C:\Windows\system32\Bahdob32.exe
  2⤵
  PID:8156
- - C:\Windows\SysWOW64\Bajqda32.exe
    C:\Windows\system32\Bajqda32.exe
    3⤵
    PID:7556
  - - C:\Windows\SysWOW64\Chdialdl.exe
      C:\Windows\system32\Chdialdl.exe
      4⤵
      PID:8232
    - - C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8276

C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
1⤵
PID:8328
- C:\Windows\SysWOW64\Cdkifmjq.exe
  C:\Windows\system32\Cdkifmjq.exe
  2⤵
  PID:8372

C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
1⤵
PID:8412
- C:\Windows\SysWOW64\Chiblk32.exe
  C:\Windows\system32\Chiblk32.exe
  2⤵
  - Modifies registry class
  PID:8460
- - C:\Windows\SysWOW64\Cnfkdb32.exe
    C:\Windows\system32\Cnfkdb32.exe
    3⤵
    - Modifies registry class
    PID:8516
  - - C:\Windows\SysWOW64\Coegoe32.exe
      C:\Windows\system32\Coegoe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:8556

C:\Windows\SysWOW64\Bpdnjple.exe
C:\Windows\system32\Bpdnjple.exe
1⤵
PID:7684

C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
1⤵
- Modifies registry class
PID:8592
- C:\Windows\SysWOW64\Chnlgjlb.exe
  C:\Windows\system32\Chnlgjlb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:8636

C:\Windows\SysWOW64\Cklhcfle.exe
C:\Windows\system32\Cklhcfle.exe
1⤵
- Modifies registry class
PID:8676
- C:\Windows\SysWOW64\Dafppp32.exe
  C:\Windows\system32\Dafppp32.exe
  2⤵
  PID:8720
- - C:\Windows\SysWOW64\Dddllkbf.exe
    C:\Windows\system32\Dddllkbf.exe
    3⤵
    PID:8772
  - - C:\Windows\SysWOW64\Dgcihgaj.exe
      C:\Windows\system32\Dgcihgaj.exe
      4⤵
      Drops file in System32 directory
      PID:8812
    - - C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        5⤵
        Modifies registry class
        
        PID:8856
      - C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        6⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        7⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        8⤵
        
        PID:8984

C:\Windows\SysWOW64\Dnajppda.exe
C:\Windows\system32\Dnajppda.exe
1⤵
PID:9020
- C:\Windows\SysWOW64\Dqpfmlce.exe
  C:\Windows\system32\Dqpfmlce.exe
  2⤵
  PID:9060
- - C:\Windows\SysWOW64\Dhgonidg.exe
    C:\Windows\system32\Dhgonidg.exe
    3⤵
    PID:9108
  - - C:\Windows\SysWOW64\Dkekjdck.exe
      C:\Windows\system32\Dkekjdck.exe
      4⤵
      PID:9156
    - - C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        5⤵
        
        PID:9200
      - C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        6⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        7⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        8⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        9⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        10⤵
        Drops file in System32 directory
        
        PID:8468
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        11⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        12⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        13⤵
        
        PID:8660

C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
1⤵
- Modifies registry class
PID:7612

C:\Windows\SysWOW64\Fooclapd.exe
C:\Windows\system32\Fooclapd.exe
1⤵
PID:8740
- C:\Windows\SysWOW64\Fqppci32.exe
  C:\Windows\system32\Fqppci32.exe
  2⤵
  PID:8820
- - C:\Windows\SysWOW64\Figgdg32.exe
    C:\Windows\system32\Figgdg32.exe
    3⤵
    PID:8880

C:\Windows\SysWOW64\Fkfcqb32.exe
C:\Windows\system32\Fkfcqb32.exe
1⤵
- Modifies registry class
PID:8932
- C:\Windows\SysWOW64\Foapaa32.exe
  C:\Windows\system32\Foapaa32.exe
  2⤵
  - Drops file in System32 directory
  PID:9000
- - C:\Windows\SysWOW64\Fbplml32.exe
    C:\Windows\system32\Fbplml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9100

C:\Windows\SysWOW64\Fdnhih32.exe
C:\Windows\system32\Fdnhih32.exe
1⤵
PID:9144
- C:\Windows\SysWOW64\Fkhpfbce.exe
  C:\Windows\system32\Fkhpfbce.exe
  2⤵
  PID:6244
- - C:\Windows\SysWOW64\Fnfmbmbi.exe
    C:\Windows\system32\Fnfmbmbi.exe
    3⤵
    PID:8208
  - - C:\Windows\SysWOW64\Fbbicl32.exe
      C:\Windows\system32\Fbbicl32.exe
      4⤵
      PID:8380
    - - C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        5⤵
        
        PID:8476
      - C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8568
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716

C:\Windows\SysWOW64\Gkdpbpih.exe
C:\Windows\system32\Gkdpbpih.exe
1⤵
- Modifies registry class
PID:8796
- C:\Windows\SysWOW64\Gnblnlhl.exe
  C:\Windows\system32\Gnblnlhl.exe
  2⤵
  PID:8920
- - C:\Windows\SysWOW64\Gaqhjggp.exe
    C:\Windows\system32\Gaqhjggp.exe
    3⤵
    PID:9032

C:\Windows\SysWOW64\Gihpkd32.exe
C:\Windows\system32\Gihpkd32.exe
1⤵
PID:9132
- C:\Windows\SysWOW64\Glfmgp32.exe
  C:\Windows\system32\Glfmgp32.exe
  2⤵
  PID:7852
- - C:\Windows\SysWOW64\Gbpedjnb.exe
    C:\Windows\system32\Gbpedjnb.exe
    3⤵
    - Modifies registry class
    PID:8368
  - - C:\Windows\SysWOW64\Geoapenf.exe
      C:\Windows\system32\Geoapenf.exe
      4⤵
      Modifies registry class
      PID:8512

C:\Windows\SysWOW64\Ggmmlamj.exe
C:\Windows\system32\Ggmmlamj.exe
1⤵
- Modifies registry class
PID:8684
- C:\Windows\SysWOW64\Gpdennml.exe
  C:\Windows\system32\Gpdennml.exe
  2⤵
  PID:3456

C:\Windows\SysWOW64\Geanfelc.exe
C:\Windows\system32\Geanfelc.exe
1⤵
PID:8316
- C:\Windows\SysWOW64\Hlkfbocp.exe
  C:\Windows\system32\Hlkfbocp.exe
  2⤵
  PID:8544
- - C:\Windows\SysWOW64\Hbldphde.exe
    C:\Windows\system32\Hbldphde.exe
    3⤵
    PID:8868
  - - C:\Windows\SysWOW64\Hejqldci.exe
      C:\Windows\system32\Hejqldci.exe
      4⤵
      PID:8240
    - - C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        5⤵
        
        PID:7364

C:\Windows\SysWOW64\Gbbajjlp.exe
C:\Windows\system32\Gbbajjlp.exe
1⤵
- Modifies registry class
PID:9120

C:\Windows\SysWOW64\Ilfennic.exe
C:\Windows\system32\Ilfennic.exe
1⤵
PID:8804
- C:\Windows\SysWOW64\Inebjihf.exe
  C:\Windows\system32\Inebjihf.exe
  2⤵
  PID:8400
- - C:\Windows\SysWOW64\Ibqnkh32.exe
    C:\Windows\system32\Ibqnkh32.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:8852
  - - C:\Windows\SysWOW64\Iijfhbhl.exe
      C:\Windows\system32\Iijfhbhl.exe
      4⤵
      Drops file in System32 directory
      PID:3212

C:\Windows\SysWOW64\Ipdndloi.exe
C:\Windows\system32\Ipdndloi.exe
1⤵
PID:7324
- C:\Windows\SysWOW64\Iafkld32.exe
  C:\Windows\system32\Iafkld32.exe
  2⤵
  - Modifies registry class
  PID:8444
- - C:\Windows\SysWOW64\Ieagmcmq.exe
    C:\Windows\system32\Ieagmcmq.exe
    3⤵
    PID:9256
  - - C:\Windows\SysWOW64\Ihpcinld.exe
      C:\Windows\system32\Ihpcinld.exe
      4⤵
      PID:9304

C:\Windows\SysWOW64\Ibegfglj.exe
C:\Windows\system32\Ibegfglj.exe
1⤵
- Modifies registry class
PID:9344
- C:\Windows\SysWOW64\Iiopca32.exe
  C:\Windows\system32\Iiopca32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:9396
- - C:\Windows\SysWOW64\Ilnlom32.exe
    C:\Windows\system32\Ilnlom32.exe
    3⤵
    PID:9456
  - - C:\Windows\SysWOW64\Jeocna32.exe
      C:\Windows\system32\Jeocna32.exe
      4⤵
      PID:9680
    - - C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9740
      - C:\Windows\SysWOW64\Hcbpme32.exe
        
        C:\Windows\system32\Hcbpme32.exe
        6⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Jqhphq32.exe
        
        C:\Windows\system32\Jqhphq32.exe
        7⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        8⤵
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        9⤵
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        10⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        11⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3140
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        13⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Nmedmj32.exe
        
        C:\Windows\system32\Nmedmj32.exe
        14⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Ndomiddc.exe
        
        C:\Windows\system32\Ndomiddc.exe
        15⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        16⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        17⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        18⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        19⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        20⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        21⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Odfcjc32.exe
        
        C:\Windows\system32\Odfcjc32.exe
        22⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        23⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Pdmikb32.exe
        
        C:\Windows\system32\Pdmikb32.exe
        24⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        26⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        27⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Pnhjig32.exe
        
        C:\Windows\system32\Pnhjig32.exe
        28⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        29⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        30⤵
        
        PID:7128

C:\Windows\SysWOW64\Flkdfh32.exe
C:\Windows\system32\Flkdfh32.exe
1⤵
- Executes dropped EXE
PID:5264

C:\Windows\SysWOW64\Fpdcag32.exe
C:\Windows\system32\Fpdcag32.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\Epmmqheb.exe
C:\Windows\system32\Epmmqheb.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\Eicedn32.exe
C:\Windows\system32\Eicedn32.exe
1⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\Ebimgcfi.exe
C:\Windows\system32\Ebimgcfi.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWOW64\Emmdom32.exe
C:\Windows\system32\Emmdom32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4072

C:\Windows\SysWOW64\Efblbbqd.exe
C:\Windows\system32\Efblbbqd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\Dbicpfdk.exe
C:\Windows\system32\Dbicpfdk.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4048

C:\Windows\SysWOW64\Dmlkhofd.exe
C:\Windows\system32\Dmlkhofd.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWOW64\Cfbcke32.exe
C:\Windows\system32\Cfbcke32.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\Cljobphg.exe
C:\Windows\system32\Cljobphg.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\Cbbnpg32.exe
C:\Windows\system32\Cbbnpg32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3292

C:\Windows\SysWOW64\Cleegp32.exe
C:\Windows\system32\Cleegp32.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\Camddhoi.exe
C:\Windows\system32\Camddhoi.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4196

C:\Windows\SysWOW64\Ckclhn32.exe
C:\Windows\system32\Ckclhn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608

C:\Windows\SysWOW64\Bnkbcj32.exe
C:\Windows\system32\Bnkbcj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\Bdbnjdfg.exe
C:\Windows\system32\Bdbnjdfg.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\Bkjiao32.exe
C:\Windows\system32\Bkjiao32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\Bemqih32.exe
C:\Windows\system32\Bemqih32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\Bochmn32.exe
C:\Windows\system32\Bochmn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\Ahippdbe.exe
C:\Windows\system32\Ahippdbe.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\Aoalgn32.exe
C:\Windows\system32\Aoalgn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\Adkgje32.exe
C:\Windows\system32\Adkgje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\Aonoao32.exe
C:\Windows\system32\Aonoao32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\Aefjii32.exe
C:\Windows\system32\Aefjii32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\Aafemk32.exe
C:\Windows\system32\Aafemk32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\Pocpfphe.exe
C:\Windows\system32\Pocpfphe.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\Pnjgog32.exe
C:\Windows\system32\Pnjgog32.exe
1⤵
PID:6956
- C:\Windows\SysWOW64\Pafcofcg.exe
  C:\Windows\system32\Pafcofcg.exe
  2⤵
  PID:7188

C:\Windows\SysWOW64\Pddokabk.exe
C:\Windows\system32\Pddokabk.exe
1⤵
PID:7452
- C:\Windows\SysWOW64\Phpklp32.exe
  C:\Windows\system32\Phpklp32.exe
  2⤵
  PID:7640
- - C:\Windows\SysWOW64\Pknghk32.exe
    C:\Windows\system32\Pknghk32.exe
    3⤵
    - Drops file in System32 directory
    PID:8096
  - - C:\Windows\SysWOW64\Pahpee32.exe
      C:\Windows\system32\Pahpee32.exe
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        5⤵
        
        PID:1824
      - C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Qajlje32.exe
        
        C:\Windows\system32\Qajlje32.exe
        7⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Qdihfq32.exe
        
        C:\Windows\system32\Qdihfq32.exe
        8⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        9⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3096
        
        C:\Windows\SysWOW64\Adkelplc.exe
        
        C:\Windows\system32\Adkelplc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Ajhndgjj.exe
        
        C:\Windows\system32\Ajhndgjj.exe
        13⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Ancjef32.exe
        
        C:\Windows\system32\Ancjef32.exe
        14⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        15⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        16⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Akgjnj32.exe
        
        C:\Windows\system32\Akgjnj32.exe
        17⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Anffje32.exe
        
        C:\Windows\system32\Anffje32.exe
        18⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10048
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Akjgdjoj.exe
        
        C:\Windows\system32\Akjgdjoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3720
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8296

C:\Windows\SysWOW64\Ahngmnnd.exe
C:\Windows\system32\Ahngmnnd.exe
1⤵
- Drops file in System32 directory
PID:8480
- C:\Windows\SysWOW64\Agqhik32.exe
  C:\Windows\system32\Agqhik32.exe
  2⤵
  PID:8572

C:\Windows\SysWOW64\Anjpeelk.exe
C:\Windows\system32\Anjpeelk.exe
1⤵
PID:6016
- C:\Windows\SysWOW64\Aqilaplo.exe
  C:\Windows\system32\Aqilaplo.exe
  2⤵
  - Drops file in System32 directory
  PID:9128
- - C:\Windows\SysWOW64\Ahpdcn32.exe
    C:\Windows\system32\Ahpdcn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9212

C:\Windows\SysWOW64\Akopoi32.exe
C:\Windows\system32\Akopoi32.exe
1⤵
PID:8492
- C:\Windows\SysWOW64\Ajaqjfbp.exe
  C:\Windows\system32\Ajaqjfbp.exe
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\Bhbahm32.exe
    C:\Windows\system32\Bhbahm32.exe
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\Bnaffdfc.exe
      C:\Windows\system32\Bnaffdfc.exe
      4⤵
      Modifies registry class
      PID:6808
    - - C:\Windows\SysWOW64\Bqpbboeg.exe
        
        C:\Windows\system32\Bqpbboeg.exe
        5⤵
        Modifies registry class
        
        PID:5128

C:\Windows\SysWOW64\Ajodef32.exe
C:\Windows\system32\Ajodef32.exe
1⤵
PID:8872

C:\Windows\SysWOW64\Bdlncn32.exe
C:\Windows\system32\Bdlncn32.exe
1⤵
PID:6400
- C:\Windows\SysWOW64\Bgjjoi32.exe
  C:\Windows\system32\Bgjjoi32.exe
  2⤵
  PID:6880

C:\Windows\SysWOW64\Bjhgke32.exe
C:\Windows\system32\Bjhgke32.exe
1⤵
PID:8952
- C:\Windows\SysWOW64\Bbpolb32.exe
  C:\Windows\system32\Bbpolb32.exe
  2⤵
  PID:9048

C:\Windows\SysWOW64\Bdnkhn32.exe
C:\Windows\system32\Bdnkhn32.exe
1⤵
PID:9104
- C:\Windows\SysWOW64\Biigildg.exe
  C:\Windows\system32\Biigildg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6776
- - C:\Windows\SysWOW64\Bjkcqdje.exe
    C:\Windows\system32\Bjkcqdje.exe
    3⤵
    PID:6832
  - - C:\Windows\SysWOW64\Bbbkbbkg.exe
      C:\Windows\system32\Bbbkbbkg.exe
      4⤵
      PID:7084
    - - C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6464
      - C:\Windows\SysWOW64\Bjmpfdhb.exe
        
        C:\Windows\system32\Bjmpfdhb.exe
        6⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Cbdhgaid.exe
        
        C:\Windows\system32\Cbdhgaid.exe
        7⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        8⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        9⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        10⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        11⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        12⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        13⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        14⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Ckafkfkp.exe
        
        C:\Windows\system32\Ckafkfkp.exe
        15⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Cnpbgajc.exe
        
        C:\Windows\system32\Cnpbgajc.exe
        16⤵
        Modifies registry class
        
        PID:10000
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10032
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        18⤵
        Drops file in System32 directory
        
        PID:10076
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        19⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\Celgjlpn.exe
        
        C:\Windows\system32\Celgjlpn.exe
        20⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        21⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        22⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        23⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        24⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        25⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Dnghhqdk.exe
        
        C:\Windows\system32\Dnghhqdk.exe
        26⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Daeddlco.exe
        
        C:\Windows\system32\Daeddlco.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        28⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        29⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        30⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        31⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        32⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8464

C:\Windows\SysWOW64\Eldlhckj.exe
C:\Windows\system32\Eldlhckj.exe
1⤵
PID:9492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9492 -s 400
  2⤵
  - Program crash
  PID:7336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 9492 -ip 9492
1⤵
PID:9908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
182KB

MD5
c50ea299be08be7cf41b73fea18b1713

SHA1
9fe5a9572f8ad858bc51815e70aed4c2182cdba0

SHA256
5a240cf5597fbd8501506bc7921f9484bcecb7cca4df971185d3dadc8c94a056

SHA512
fc3966f5ea2a058d6b484cb9596c919a448790dcdc62cb0162d1a2fa8d76a279aba05bf86655e7affdb65ce2422611f7ca208b0fee6bc5c90ff1db2182c5bc81

Download Submit
C:\Windows\SysWOW64\Adkgje32.exe

Filesize
182KB

MD5
8053a5ba3e45f60281a934c1c2245a37

SHA1
12e03ace50a82b2656dc06aebbe3ab60d1b8bc47

SHA256
571f2a8d9c09b7c2d5a4b5ed87240386b8842ba4e939dc2dd4850e66d17d463c

SHA512
d7156c2c935b840cd34516efeccac520ff2c9ae1295b41a2f7b98c81284bdb8accb6a17bead46f46488cd0c4928ee54cc93f3117b0bce186649dc4435acb36e9

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
182KB

MD5
8443d0142d6229cd0f2382b12b66894c

SHA1
18a3856fd1512c7b1c9a551238da3f51113577c3

SHA256
7c072afa77b22cccef1dd122400a14a4212029789b440dc9c9034965cd82e522

SHA512
b09c975550db5e3c49f8906fe710f527ced197571442772f2c6dc6e3f4662ed0cb6b97aa197271d9029a8516dfcfa85403781ed2644b373430e6be4bf46316f7

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
182KB

MD5
ea5f7ae8d749871d34ed40ae16a7d7bc

SHA1
5bb84004c8edc655db989109233f3f4f5cc8f930

SHA256
e65ff0eb2da52bcc20117eac843b8f3e64370de2fd9b587b4cad8a8903e663cf

SHA512
b8ca540498e71a3b9fec7facc914550d73d7b2c5aa9d89c1e3130b58d9ad2a68db16958e695b3e2718a47aa96694dd1d83ccb4aee3bf0015aec5c4375356de97

Download Submit
C:\Windows\SysWOW64\Agqhik32.exe

Filesize
182KB

MD5
b45b3f591b521a85c9d556baaccd2c03

SHA1
989a9d216cac3e6b0d823edff75865448ebf4262

SHA256
94e8f9ce35982e7205f3021979cc01f3506cc37fbf16ffaff0fa131578b108cb

SHA512
5651c5d7fe747c6eab59ee4142e27ae7f8b3175f41e3cb108c97f808c34af0eeb5cd666b9c712a7cb3eb606d7dec2a253df426d75fbe3d8ff080f7242fbddef2

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
182KB

MD5
56afa3fc310ef53aa9b821f86446beb9

SHA1
1942d56e3a2a53e5b780419a2b8fbbb28e003a59

SHA256
32c443b11b7a794ce2f6bb2e9ddb313b40c00b6dc8a670ee393094d658afcf98

SHA512
965e0304fa121cbf25f6a3d3490e5819e35ef542b8eed4176a29f28560fda503dc216496c86608587e6ef50214ef4f6c1f749c6c1493359983c513cd174f58ed

Download Submit
C:\Windows\SysWOW64\Ahpdcn32.exe

Filesize
182KB

MD5
efecdd6375388f025ee689533025bda4

SHA1
39cca14e4175680d61f8c4c3c7d42379c6d83fb1

SHA256
43f7e13c530056af4bbca8b3677483fc8fe2f73ebe0942f0156a104bc8f649ce

SHA512
a9630f31f5dcaf84d40f576bb49e107355c1cee2e75cff99b015bb8d3b72766e849ffe52504967c982e3772d60cf276d2d1a6fdb612962b8b3f27b1ea013837b

Download Submit
C:\Windows\SysWOW64\Ahpmjejp.exe

Filesize
182KB

MD5
72c3f3d92f51a3e03bd4c8a1fdc2c11f

SHA1
e5e1e793d7adf2b03222ba328ca0e68c109179e4

SHA256
4c5dc94736ae163cdc07c4c29208359e6ee0ad71865a9b117a1fb567c44ae189

SHA512
c41bf0bc663eac9fddb0de4f45b3ca4dab1dd3935a7bbc01037bbb45c15afa4c67ac11d8679541fc2c0ad83e2ac3f4b1987e5fb4008b9b4741113fdf367eebeb

Download Submit
C:\Windows\SysWOW64\Alnfpcag.exe

Filesize
182KB

MD5
84e323b803a915890ac3cd80c18af4f5

SHA1
37461be8d8bcf7ab3f817c8683b629945ef3316d

SHA256
8e6444dc7b3e33907c530818ca2ff0249fb0de7dc8f10ae4b3ded4f8612325f5

SHA512
90d6ba131d87774c02c633cdb9a8d9779805266525a71eb707a7a35de8dfd37ed90190a20c9d0c584ff8ab956a59caa83a06826b7ed008c8b44b88f810b7d11c

Download Submit
C:\Windows\SysWOW64\Aoalgn32.exe

Filesize
182KB

MD5
546c86f06b23438d39d88d18cf19459f

SHA1
7e387e3a3572b069328eb287e298b91a4d73abd2

SHA256
dfac1e2c8c978a08f9a288b696239c1ebecc2173af18e6aeaf857334f9e0d163

SHA512
a982e31e9f16c8575156eb39c95b7b3ac70f64c462dd53ef2a7596ad46a7a6ff73c39968bb1fbe99fe63b1d47625fcf420114cb909f4f84b0374f7db7ce2893d

Download Submit
C:\Windows\SysWOW64\Aojefobm.exe

Filesize
182KB

MD5
220a1466f4740eddabdb77b9ab2e751c

SHA1
449ceca3e70ee441a201ca7901eb092ab0a029dc

SHA256
1bcc231e8450e7fc4b6ad68830df7c7ab69ec8f36c7f8db611c799d8920ad361

SHA512
4c076ff49ffe386693dd8dddd1c50a2a5d4e31906eb2a7ca47fc6edda394270fa590164491176740954ac3dd60394348d93cfb7769c1fee473ff1a914ee38adb

Download Submit
C:\Windows\SysWOW64\Aonoao32.exe

Filesize
182KB

MD5
cae0179ea499fe08a7aecb08395a930d

SHA1
44a5f4186ec046d1a4b918fbae269c65fc11cb9f

SHA256
74addff8f21e6a275fef3d3af417f20f78f5aa7418227329df0b589eb012271c

SHA512
658069905aac12be0bb1d89b17f966e711f439379f367a85b0d1e841ef9fb8bc43e21937b21c7a3a6282cde518921b08a01e8954c2080e635386c49a2bd58ee5

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
182KB

MD5
3a36243fcce843c87d6c85c48efb7ee7

SHA1
f3d0a630f615a81190264ea3e39e712fd2487cc6

SHA256
5538c9e7a7fc74ebfb06ad299d552c79a18d971be29e91be68a43102231a1406

SHA512
75913fc4e834e143d6fadd21bc850d114b0eb1969385e6e9985b0cbd487ae9c6f666a2e492da9cda9d2c3f6b63b81792c145f4fa9bc4f9f229126df99cd46077

Download Submit
C:\Windows\SysWOW64\Bhbahm32.exe

Filesize
182KB

MD5
83f7cd21bf7d52e67ea97d3a90bb0db8

SHA1
5afefac61d3173892367874c561feeeb73ac6ae0

SHA256
ca1affeacd7f7fe0d3560e0e698078f2c8cf5980d9190366076d3a0b159e61b8

SHA512
f3d777b3337f34e0df39c9843c2ff03ec2c02c821209f06dc382a3d78db1d69b14152949def8d60f15ae515d85ab28ce9b3abb4c30ec58104e8e9f10a625837e

Download Submit
C:\Windows\SysWOW64\Bilcol32.exe

Filesize
182KB

MD5
c21146f88d853553241531fcf2e5fce3

SHA1
128da05d80778306e9fc9105d3b344c55de6238e

SHA256
bb036891180ce674f5c8cfff2bb5bdc2c9207b91c8d3f8802cb3abf385084dd1

SHA512
bfbb2b07bcde78c3d39040f5338eccc746a9e34897318da3ca8c771c09593297da47e00aee0abc5dc2fbe516ccd78fa684571a7474ea966c49fb98fa06dacb75

Download Submit
C:\Windows\SysWOW64\Bkjiao32.exe

Filesize
182KB

MD5
8717f095b2db17deb829e50b2823cda3

SHA1
dd5d791a4d669466a77a0ab50de0d00709340679

SHA256
d9e29650b2cce126b017df761879587362bdbbeee240b5130366e07eddb447f9

SHA512
f186a1dcccffe6e29aeb467423295b0bffe5180f774ed94e0ad9c0c041d8f9faafe14dad19c8552ce7b322e82a8da300b11bcd107058fea7270ea4e8e3292948

Download Submit
C:\Windows\SysWOW64\Bnkbcj32.exe

Filesize
182KB

MD5
306df5973d2ac269dab68b50c41febe3

SHA1
6b8158fdd456dc790a0c67d73db176add4169a80

SHA256
ba5bf77f1f452ad25d21c11d7a3ae54393243422d3384c92fb9d2f473b6a3ae8

SHA512
b7730e983860d9138cc90aa2d11f7d515dfbb16fb5b8bc6d10217b7b40591faafcb94d33f7a968fb7e4eac36d41dd9287726188d690909abd975d9e2d391c9a6

Download Submit
C:\Windows\SysWOW64\Bochmn32.exe

Filesize
182KB

MD5
8bdab43e7f394fff931728db13e6e1f9

SHA1
7dac1a01bd5250fc2f19af5b4334eb5a40db2f6a

SHA256
ce67bac74ad7239ff3baf9691298b7708b7c5513046dd65e06cc9be9bd82481d

SHA512
a150fb12b3f3f29413d8412716a728606c1354a38e742398c053a255db8b7b7becec0f9010d9dbc462011a95e60426e7c5ac39a2ee7aed62fced83f23a33508d

Download Submit
C:\Windows\SysWOW64\Bojomm32.exe

Filesize
182KB

MD5
465b53b208219effdc6b8d8aad5bcb9d

SHA1
70146960a6cd525f64871907ddc1069a8a531a74

SHA256
70d70e272921d40d5f834736812341754ef60eb42077c107f1294aaf412b6996

SHA512
1e1a50a1c4e71aefbaed0c3bda14da16f18b69d619ab790bd0130d3fa9070ea973c391e7e1dd239ecf4aee365269f063be2bd18474c5275e5eb8aeb4da6c0423

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
182KB

MD5
e877a8328e601c2bc5eb4abc74b587fe

SHA1
55d80985f3f122149b08543033d9f84f24835d8b

SHA256
c1a2d11b22f5a2d5661efc09e609a0402758951724690086bb9e04fef6675f29

SHA512
b4fac843cf22c185e6a5ae2f16affbcd132b2fbf896146d2dc12568f01b6849906b7ea3ccf6db446a2209ac603ed04d33e520c5dce733055494ae4b51db9e945

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
182KB

MD5
b7752644edb06f1c85ea0b6f48ca9290

SHA1
1679cf658de8353e691613de0034c2b0cc6997d7

SHA256
97ee3bba34dca917c1c94199e68e5246ab39dcef2d4463f228227809cadde973

SHA512
bfc501c8c94edd7450a1f3c24e6e12e18285aca3f3c19bbb9290064174f05ea9939f7dcee9581ac8785658901c1c402aa4ccb52f8ef7867692f08f2358be4c31

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
182KB

MD5
bf40867477ab358501e575a7b4d46c93

SHA1
7990e6618b6dd25b81472e9a136ab7d094563ff0

SHA256
d3369066fc8d08edd5870ed911595fa24207ed8c6e3181073bffa678149a93b9

SHA512
4ce67d30485a9e3e4e3eec7beedcbfb1f89553dc824348df5c5603d0b1b103962e0cb52b84ea8d76733663063d6f2aa5cb82d60fa8703f8ad2e6b0a6ff6ef824

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
182KB

MD5
1977153f706e4d7494f3785a748b24d2

SHA1
ec755bbd06f2751d575f0549fc68cd2c56c3ca2c

SHA256
4b40ee82a7142637f59fb0c2aa347c6df1bfa20cccda7819c71868bd84a43582

SHA512
105231e290bfd2d9d66a45892d4f24f4450f31a41c65a261c5072a47a26934b03628d6d702095a87bdd29e0b7cafa3f4702b5ab9f757477be91bbd650460584c

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
92KB

MD5
fb036c818f1529b64bf3ff97a5e92666

SHA1
d381bf2c8cd0c42457b8d82e7f8c01f37a719f90

SHA256
a9933af676116cab5d8c8164ac2ac4380c26c3d7298a504d71b7c39b641c5638

SHA512
b31212fbf02ddcafa4ca95e5fc2a6ec160a682d42b434745d6fdc6cc552af83b75038ce70423da027464c1698ba8c998e16f78cdc75dca6335ff0c70fd1a9bbd

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
182KB

MD5
fc2af822bbe3559501aa2efb0d535316

SHA1
ddb4f398c5ee89aa30817bbe3f5dddbcaa90eca0

SHA256
6903837efb90c6ceeda44d189eac14e6d086a1cbf7dac90bc06ee75982a418d3

SHA512
4fd10b4256054a7fe50e6de5b3b3489cd6636ac7bd0f4da7e8f1e0662cb252153cae0d55e303c0392649ad9a8dc0749da790a732645561130a6f9f7ad1e294ab

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
182KB

MD5
8a3f6e4cd31ea52486ac5518a7fe39ad

SHA1
b60234fd22c56916842eb3b63bd6472370b0a8f2

SHA256
70e917fefa0925059f32a13abbe04f9c478004c3b4f324b014c8fbbad8cc5663

SHA512
de8bf3b9116fff512bdd1546ed77761020a6dd634703c24d5ae38193f47a60a5e63589f0e11727bc6baba5c4e3e4864e0905dbd1908fc695d17c92afbf5be042

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
92KB

MD5
10ae2d0151765a4aa595220704b0abe2

SHA1
bb1787f70c523f0c9235b3e64751899ee40a31ef

SHA256
77453650b5d0f2ab4aa71cffff92439500888e365f6bab07f944d77bfad17c19

SHA512
55858641b509f92d56c94461c42690f9ee0e144c5dadd94d4e6645fb8d08e25d8311bd2eaccb8dd3b4ee5661fd177f628b01a6abd8ef989da0f0a8d97b4d28c4

Download Submit
C:\Windows\SysWOW64\Odaiodbp.exe

Filesize
182KB

MD5
5a4d5ac64d8204fcb8d304ff1ad9f4ec

SHA1
dbb2a73c8bc38edc1f5d34024b9e89b60b63ed0e

SHA256
ed55f551be9981bcf7c22d586a468ff39dcbb85f3f0d98172ed3b4ce3b9c7fff

SHA512
a3100c1807f485ed3a4c59bb9e0f690ef2fddfe3d3f6b3aefc87e1a97c8de53b15668e9e1f176838e7f31bbc371da253fe1557a751459794acb36658e08314be

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
182KB

MD5
261f6bd5846aa9be5b8630cc775dead4

SHA1
e4d1bccdd8191ac8c0deab0d27d293d320c10d3e

SHA256
1e765e6f959ae01373285cc0e0e7b3c4f6a3369876b37e7b5a16146e304702fb

SHA512
8ca6c75b78c53fbe71a908917e89956197d3156579cd2b269548ee1abac439761473f3f984efd38998f546158ef1e84713ade914fa75f9f17cb230077d941ea4

Download Submit
C:\Windows\SysWOW64\Pahpee32.exe

Filesize
182KB

MD5
415f74037cab35eb1b57844382f422cc

SHA1
277b7f0fa563434fea508dd26cae70b586780377

SHA256
8a4ee434d241682ad70cb70c862a3f80798353f5a03b0813ec076c65db1dbed2

SHA512
faef3d3cc01edcf78ac903243c496094fcbd356b72d182a39923b44c9eaff1787d697153c85a043e2df1886b2a6121e6eacf0f8a76a5c9fd96556b660a7dc7d2

Download Submit
C:\Windows\SysWOW64\Pdmkhgho.exe

Filesize
182KB

MD5
f5e5e1181875af9c1d126f5fd66cb052

SHA1
29f13160ccd092e11cb87ac512f2e788dbb10dd9

SHA256
d88d446b2454676ff6087560cf4bd295c3704bf8a74da091d95edec793edf931

SHA512
ef383dd87975c637bf3ef5be26dc342f380792bd82ef33c739198cfe14479be44fc3f4249fe7e95d1865ecb15b93b268f6454b1095bd09d2ff492e73f933ad8f

Download Submit
C:\Windows\SysWOW64\Pnhjig32.exe

Filesize
182KB

MD5
8a5c17d37d336e6a33de5c9a95e67e4a

SHA1
90cb1e4f58132ad39dcbae11a298605a94be0880

SHA256
d0c00857fac52629a771d53db3796255fa03f70089918ef92a00fa009b2c1457

SHA512
a2a188a644300264735754ec1c9ebab6dbc4374a8d43855e794991d9682364f71d010596588c13b64c619b40e4db2510730f341239f615ed0b131c1f6d1d9f3a

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
182KB

MD5
17cfef4f415800d4cca2ada29368851b

SHA1
1cb200f509ef20f59f3e7524abf8964b48de6d59

SHA256
b4c576738577bde4510f03df0dd69a6b742ea5092b4fe28911c8458127ab5d30

SHA512
3a0aa3e98819878a36b26bf0abe2c522935b4c9c1650d42ab345ecba400f2b6e183711829df3527513075534924d5177aca4ca3cbc9f693a8aa704d8478ec2b3

Download Submit
C:\Windows\SysWOW64\Qaalblgi.exe

Filesize
182KB

MD5
42d92d3d5ebfb06f18f8bd34e6fbdb16

SHA1
2a5922b64029cb527891f190e936a5913862417e

SHA256
e49857a0b3e7359a323b770d6e4552b0173dbc0165a6be0470c8b1a9160bf5af

SHA512
556d82eea5399bb903af9555450585fb13a247d719570b638ebc0ffc4df460a936cb979befe85b3fa875ad43ee6737cd230b904a4b27cabcde7ac3399c039e3d

Download Submit
C:\Windows\SysWOW64\Qdbdcg32.exe

Filesize
182KB

MD5
edd56342eb7b005723f60bba1a9a09d1

SHA1
35d97fb6b9197015af065cc6720d1a296c73a5d0

SHA256
1e231559f3bc2f89ab4677bedcc8d9125cd20f43329d261658742fcdfc1389aa

SHA512
a3ed713fe4ce633e537c75a7480e5205f09bb5f2627672644b46e09fb5f74d5a87bf338e682b74665d694ea9cc1c1f2d71f04f107512668d1128fd814da352a3

Download Submit
C:\Windows\SysWOW64\Qhkdof32.exe

Filesize
182KB

MD5
cebbdea04802bf2d561d742bbf06bc74

SHA1
c190029248e130ecc722a46717985606a16a8c9c

SHA256
60f77370b93153c869ac9fdbd1d060ca5ce1ceacfae2e75bab780dd63129cede

SHA512
9d4597e6e89f065532ffaa352104f4748b0fb9b0274d9c4099ff9872317f6ca5922cf5dbf2843b3d063b4c05acd1ee9be49bbbd46c62990bf5133a08f0539d46

Download Submit
memory/552-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5140-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5180-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5224-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5264-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads