a1aa831fa7e8c22ebcdf0b1d744afeb3a6b1d3d359c69423dccf1a95b44c8201

Analysis

max time kernel
32s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e3460faec736f0447ebd2fa0322fc2.exe
Size

56KB
MD5

78e3460faec736f0447ebd2fa0322fc2
SHA1

d0e98219b874c6ad190a5f6763cf89fea568f9d7
SHA256

a1aa831fa7e8c22ebcdf0b1d744afeb3a6b1d3d359c69423dccf1a95b44c8201
SHA512

c0109366cc172ad2cd4154f4d66bc144f983d4ec43f14102b7684616b3ea67fa4331e449091c01f7767809991c637fd1912c8bf2edc597ff9f31c711d60a999d
SSDEEP

768:TSAitR8y1soBXeHV/0oMROv8+WHGw1VNFK3/1H5pnXdnh:TSTCyG/0oMROQHGiAdb9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmglcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leopnglc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boflmdkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgfapd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmmni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbjkngo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilpmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpgli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmimai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emmkiclm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkdjfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmcce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjpijpdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinmcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dblgpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elnoopdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmechmip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdokdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmihij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkabjbih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmbbejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfaohbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkifn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	78e3460faec736f0447ebd2fa0322fc2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiggbhda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaompd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijqmhnko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbiejoaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhcjqinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giinpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gikkfqmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdjbiheb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakacjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdhiojo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhoqeibl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpdoqgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdaociml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoclopne.exe

Executes dropped EXE 64 IoCs

pid	Process
2452	Ipbdmaah.exe
2060	Iikhfg32.exe
400	Icplcpgo.exe
4636	Jeaikh32.exe
3104	Jcbihpel.exe
2732	Jlnnmb32.exe
3672	Jfcbjk32.exe
4132	Jcgbco32.exe
1856	Cnfaohbj.exe
2720	Maggnali.exe
1964	Jmbdbd32.exe
2584	Jcllonma.exe
1616	Kfjhkjle.exe
2132	Kmdqgd32.exe
4256	Kdnidn32.exe
2212	Mnpabe32.exe
3416	Kmfmmcbo.exe
4004	Kpeiioac.exe
2228	Kfoafi32.exe
4512	Kmijbcpl.exe
2328	Kdcbom32.exe
2588	Kedoge32.exe
2608	Klngdpdd.exe
208	Kbhoqj32.exe
1660	Kmncnb32.exe
4428	Kdgljmcd.exe
1640	Leihbeib.exe
908	Llcpoo32.exe
5112	Lfhdlh32.exe
2012	Lmbmibhb.exe
3872	Ldleel32.exe
2980	Llgjjnlj.exe
2380	Coohhlpe.exe
1392	Likjcbkc.exe
624	Ldanqkki.exe
1688	Lebkhc32.exe
3868	Lmiciaaj.exe
2292	Hmbphg32.exe
2808	Mlcifmbl.exe
1860	Mcmabg32.exe
876	Migjoaaf.exe
2924	Mlefklpj.exe
216	Mgkjhe32.exe
3256	Mnebeogl.exe
820	Qmepam32.exe
4760	Igajal32.exe
4628	Bdbnjdfg.exe
2988	Cfpffeaj.exe
3864	Nloiakho.exe
692	Ncianepl.exe
3880	Nnneknob.exe
4784	Bafndi32.exe
2532	Nggjdc32.exe
4420	Nnqbanmo.exe
3332	Aojefobm.exe
2168	Oflgep32.exe
1936	Oncofm32.exe
1744	Odmgcgbi.exe
3776	Ofnckp32.exe
4700	Opdghh32.exe
4604	Ognpebpj.exe
3300	Ocdqjceo.exe
3292	Ofcmfodb.exe
4200	Olmeci32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmbheilp.dll	Lkabjbih.exe
File created	C:\Windows\SysWOW64\Gdliee32.dll	Pllgnl32.exe
File opened for modification	C:\Windows\SysWOW64\Icfekc32.exe	Ilmmni32.exe
File created	C:\Windows\SysWOW64\Niehpfnk.dll	Ckkiccep.exe
File created	C:\Windows\SysWOW64\Hpopgneq.dll	Mhoipb32.exe
File created	C:\Windows\SysWOW64\Kimapcmi.dll	Pefhlaie.exe
File opened for modification	C:\Windows\SysWOW64\Cioilg32.exe	Cfqmpl32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Jkaicd32.exe	Jibmgi32.exe
File opened for modification	C:\Windows\SysWOW64\Oekiqccc.exe	Oaompd32.exe
File created	C:\Windows\SysWOW64\Dkdliame.exe	Djcoai32.exe
File created	C:\Windows\SysWOW64\Iinqbn32.exe	Icdheded.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Llflea32.exe	Lelchgne.exe
File opened for modification	C:\Windows\SysWOW64\Mbbagk32.exe	Ljkifn32.exe
File created	C:\Windows\SysWOW64\Cmmbbejp.exe	Cjnffjkl.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Pedlgbkh.exe	Pcepkfld.exe
File created	C:\Windows\SysWOW64\Aaopkj32.dll	Bfngdn32.exe
File created	C:\Windows\SysWOW64\Fajbad32.dll	Hkdjfb32.exe
File opened for modification	C:\Windows\SysWOW64\Jibmgi32.exe	Jbiejoaj.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Mnpabe32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Gncchb32.exe
File created	C:\Windows\SysWOW64\Dimenegi.exe	Dfoiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Eidlnd32.exe	Ejalcgkg.exe
File created	C:\Windows\SysWOW64\Golneb32.dll	Glldgljg.exe
File created	C:\Windows\SysWOW64\Hdehni32.exe	Hloqml32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Meamcg32.exe	Mbbagk32.exe
File opened for modification	C:\Windows\SysWOW64\Olbdhn32.exe	Oidhlb32.exe
File created	C:\Windows\SysWOW64\Efjimhnh.exe	Eclmamod.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Lankbigo.exe	Lnpofnhk.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Eefaomcg.exe	Eolhbc32.exe
File created	C:\Windows\SysWOW64\Ifhahnbj.dll	Glgjlm32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Cjjlkk32.exe	Ccpdoqgd.exe
File opened for modification	C:\Windows\SysWOW64\Glengm32.exe	Gjdaodja.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Eonehbjg.exe	Ehdmlhcj.exe
File created	C:\Windows\SysWOW64\Coiaiakf.exe	Cioilg32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Laniklje.dll	Dpehof32.exe
File created	C:\Windows\SysWOW64\Neqhhf32.dll	Dcpmen32.exe
File created	C:\Windows\SysWOW64\Ejchhgid.exe	Eciplm32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Iebngial.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pnaopd32.dll	Gmimai32.exe
File created	C:\Windows\SysWOW64\Nllbhl32.dll	Dfoplpla.exe
File created	C:\Windows\SysWOW64\Lghcocol.exe	Lankbigo.exe
File opened for modification	C:\Windows\SysWOW64\Dkdliame.exe	Djcoai32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Kjageedl.dll	Eglgbdep.exe
File opened for modification	C:\Windows\SysWOW64\Qkmdkgob.exe	Qhngolpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
13080	6388	WerFault.exe	667

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egdqae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Allpejfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjpknni.dll"	Gikkfqmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogiifoh.dll"	Lajagj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poajkgnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbpdblmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkellk32.dll"	Afkknogn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcpmen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipmbjgpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjdachc.dll"	Dmihij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knflpoqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll"	Giinpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkbmqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll"	Fnjhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llflea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aodogdmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejbl32.dll"	Kjmmepfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phganm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elnoopdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkafocc.dll"	Ilmmni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdbhkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdjbiheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndcedao.dll"	Kaehljpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcnob32.dll"	Lbpdblmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leopnglc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkapdda.dll"	Aoofle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdcojj.dll"	Gingkqkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeleklf.dll"	Llflea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olbdhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eolhbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnpfop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfendmoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkdjfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpmd32.dll"	Jdbhkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbinam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll"	Allpejfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	78e3460faec736f0447ebd2fa0322fc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Bdbnjdfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djelgied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okchnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhidbhg.dll"	Alqjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpqkcpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iljpij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hplicjok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinqbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhomfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkaicd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efafgifc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glengm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohokaph.dll"	Qadoba32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2452	4548	78e3460faec736f0447ebd2fa0322fc2.exe	157
PID 4548 wrote to memory of 2452	4548	78e3460faec736f0447ebd2fa0322fc2.exe	157
PID 4548 wrote to memory of 2452	4548	78e3460faec736f0447ebd2fa0322fc2.exe	157
PID 2452 wrote to memory of 2060	2452	Ipbdmaah.exe	156
PID 2452 wrote to memory of 2060	2452	Ipbdmaah.exe	156
PID 2452 wrote to memory of 2060	2452	Ipbdmaah.exe	156
PID 2060 wrote to memory of 400	2060	Iikhfg32.exe	154
PID 2060 wrote to memory of 400	2060	Iikhfg32.exe	154
PID 2060 wrote to memory of 400	2060	Iikhfg32.exe	154
PID 400 wrote to memory of 4636	400	Icplcpgo.exe	28
PID 400 wrote to memory of 4636	400	Icplcpgo.exe	28
PID 400 wrote to memory of 4636	400	Icplcpgo.exe	28
PID 4636 wrote to memory of 3104	4636	Jeaikh32.exe	153
PID 4636 wrote to memory of 3104	4636	Jeaikh32.exe	153
PID 4636 wrote to memory of 3104	4636	Jeaikh32.exe	153
PID 3104 wrote to memory of 2732	3104	Jcbihpel.exe	152
PID 3104 wrote to memory of 2732	3104	Jcbihpel.exe	152
PID 3104 wrote to memory of 2732	3104	Jcbihpel.exe	152
PID 2732 wrote to memory of 3672	2732	Jlnnmb32.exe	30
PID 2732 wrote to memory of 3672	2732	Jlnnmb32.exe	30
PID 2732 wrote to memory of 3672	2732	Jlnnmb32.exe	30
PID 3672 wrote to memory of 4132	3672	Jfcbjk32.exe	31
PID 3672 wrote to memory of 4132	3672	Jfcbjk32.exe	31
PID 3672 wrote to memory of 4132	3672	Jfcbjk32.exe	31
PID 4132 wrote to memory of 1856	4132	Jcgbco32.exe	474
PID 4132 wrote to memory of 1856	4132	Jcgbco32.exe	474
PID 4132 wrote to memory of 1856	4132	Jcgbco32.exe	474
PID 1856 wrote to memory of 2720	1856	Cnfaohbj.exe	432
PID 1856 wrote to memory of 2720	1856	Cnfaohbj.exe	432
PID 1856 wrote to memory of 2720	1856	Cnfaohbj.exe	432
PID 2720 wrote to memory of 1964	2720	Maggnali.exe	149
PID 2720 wrote to memory of 1964	2720	Maggnali.exe	149
PID 2720 wrote to memory of 1964	2720	Maggnali.exe	149
PID 1964 wrote to memory of 2584	1964	Jmbdbd32.exe	147
PID 1964 wrote to memory of 2584	1964	Jmbdbd32.exe	147
PID 1964 wrote to memory of 2584	1964	Jmbdbd32.exe	147
PID 2584 wrote to memory of 1616	2584	Jcllonma.exe	146
PID 2584 wrote to memory of 1616	2584	Jcllonma.exe	146
PID 2584 wrote to memory of 1616	2584	Jcllonma.exe	146
PID 1616 wrote to memory of 2132	1616	Kfjhkjle.exe	145
PID 1616 wrote to memory of 2132	1616	Kfjhkjle.exe	145
PID 1616 wrote to memory of 2132	1616	Kfjhkjle.exe	145
PID 2132 wrote to memory of 4256	2132	Kmdqgd32.exe	32
PID 2132 wrote to memory of 4256	2132	Kmdqgd32.exe	32
PID 2132 wrote to memory of 4256	2132	Kmdqgd32.exe	32
PID 4256 wrote to memory of 2212	4256	Kdnidn32.exe	434
PID 4256 wrote to memory of 2212	4256	Kdnidn32.exe	434
PID 4256 wrote to memory of 2212	4256	Kdnidn32.exe	434
PID 2212 wrote to memory of 3416	2212	Mnpabe32.exe	143
PID 2212 wrote to memory of 3416	2212	Mnpabe32.exe	143
PID 2212 wrote to memory of 3416	2212	Mnpabe32.exe	143
PID 3416 wrote to memory of 4004	3416	Kmfmmcbo.exe	142
PID 3416 wrote to memory of 4004	3416	Kmfmmcbo.exe	142
PID 3416 wrote to memory of 4004	3416	Kmfmmcbo.exe	142
PID 4004 wrote to memory of 2228	4004	Kpeiioac.exe	141
PID 4004 wrote to memory of 2228	4004	Kpeiioac.exe	141
PID 4004 wrote to memory of 2228	4004	Kpeiioac.exe	141
PID 2228 wrote to memory of 4512	2228	Kfoafi32.exe	140
PID 2228 wrote to memory of 4512	2228	Kfoafi32.exe	140
PID 2228 wrote to memory of 4512	2228	Kfoafi32.exe	140
PID 4512 wrote to memory of 2328	4512	Kmijbcpl.exe	139
PID 4512 wrote to memory of 2328	4512	Kmijbcpl.exe	139
PID 4512 wrote to memory of 2328	4512	Kmijbcpl.exe	139
PID 2328 wrote to memory of 2588	2328	Kdcbom32.exe	138

C:\Users\Admin\AppData\Local\Temp\78e3460faec736f0447ebd2fa0322fc2.exe
"C:\Users\Admin\AppData\Local\Temp\78e3460faec736f0447ebd2fa0322fc2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\Ipbdmaah.exe
  C:\Windows\system32\Ipbdmaah.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452

C:\Windows\SysWOW64\Jeaikh32.exe
C:\Windows\system32\Jeaikh32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3104

C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\Jcgbco32.exe
  C:\Windows\system32\Jcgbco32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\Jmpgldhg.exe
    C:\Windows\system32\Jmpgldhg.exe
    3⤵
    PID:1856

C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  PID:2212

C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  - Executes dropped EXE
  PID:5112

C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
1⤵
PID:2380
- C:\Windows\SysWOW64\Likjcbkc.exe
  C:\Windows\system32\Likjcbkc.exe
  2⤵
  - Executes dropped EXE
  PID:1392

C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
1⤵
- Executes dropped EXE
PID:624
- C:\Windows\SysWOW64\Lebkhc32.exe
  C:\Windows\system32\Lebkhc32.exe
  2⤵
  - Executes dropped EXE
  PID:1688

C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
1⤵
- Executes dropped EXE
PID:3868
- C:\Windows\SysWOW64\Mbfkbhpa.exe
  C:\Windows\system32\Mbfkbhpa.exe
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\Mlcifmbl.exe
    C:\Windows\system32\Mlcifmbl.exe
    3⤵
    - Executes dropped EXE
    PID:2808

C:\Windows\SysWOW64\Mlefklpj.exe
C:\Windows\system32\Mlefklpj.exe
1⤵
- Executes dropped EXE
PID:2924
- C:\Windows\SysWOW64\Mgkjhe32.exe
  C:\Windows\system32\Mgkjhe32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:216
- - C:\Windows\SysWOW64\Mnebeogl.exe
    C:\Windows\system32\Mnebeogl.exe
    3⤵
    - Executes dropped EXE
    PID:3256
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      PID:820
    - - C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        6⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        7⤵
        
        PID:9476

C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
1⤵
PID:4760
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\Njqmepik.exe
    C:\Windows\system32\Njqmepik.exe
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\Nloiakho.exe
      C:\Windows\system32\Nloiakho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:3864
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Executes dropped EXE
        
        PID:692
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
  - - C:\Windows\SysWOW64\Cljobphg.exe
      C:\Windows\system32\Cljobphg.exe
      4⤵
      PID:5392
    - - C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        5⤵
        
        PID:6064
      - C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        6⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        7⤵
        
        PID:5248
- C:\Windows\SysWOW64\Imkbnf32.exe
  C:\Windows\system32\Imkbnf32.exe
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\Ipjoja32.exe
    C:\Windows\system32\Ipjoja32.exe
    3⤵
    PID:5924

C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4420
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  PID:3332

C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
1⤵
- Executes dropped EXE
PID:2168
- C:\Windows\SysWOW64\Oncofm32.exe
  C:\Windows\system32\Oncofm32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1936
- - C:\Windows\SysWOW64\Odmgcgbi.exe
    C:\Windows\system32\Odmgcgbi.exe
    3⤵
    - Executes dropped EXE
    PID:1744
  - - C:\Windows\SysWOW64\Ofnckp32.exe
      C:\Windows\system32\Ofnckp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:3776

C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
1⤵
- Executes dropped EXE
PID:4700
- C:\Windows\SysWOW64\Ognpebpj.exe
  C:\Windows\system32\Ognpebpj.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- - C:\Windows\SysWOW64\Ocdqjceo.exe
    C:\Windows\system32\Ocdqjceo.exe
    3⤵
    - Executes dropped EXE
    PID:3300
  - - C:\Windows\SysWOW64\Ofcmfodb.exe
      C:\Windows\system32\Ofcmfodb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:3292

C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4200
- C:\Windows\SysWOW64\Ocgmpccl.exe
  C:\Windows\system32\Ocgmpccl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5144

C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184
- C:\Windows\SysWOW64\Pdfjifjo.exe
  C:\Windows\system32\Pdfjifjo.exe
  2⤵
  - Drops file in System32 directory
  PID:5224
- - C:\Windows\SysWOW64\Pfhfan32.exe
    C:\Windows\system32\Pfhfan32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:5264
  - - C:\Windows\SysWOW64\Pdifoehl.exe
      C:\Windows\system32\Pdifoehl.exe
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
      - C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        6⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        9⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        11⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        12⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        13⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        14⤵
        Modifies registry class
        
        PID:5716

C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5796
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\Anmjcieo.exe
    C:\Windows\system32\Anmjcieo.exe
    3⤵
    PID:5888
  - - C:\Windows\SysWOW64\Ajckij32.exe
      C:\Windows\system32\Ajckij32.exe
      4⤵
      PID:5940
    - - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        5⤵
        Drops file in System32 directory
        
        PID:5980
    - - C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        5⤵
        
        PID:6072

C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
1⤵
PID:5756

C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
1⤵
PID:4784
- C:\Windows\SysWOW64\Bkobmnka.exe
  C:\Windows\system32\Bkobmnka.exe
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\Bnmoijje.exe
    C:\Windows\system32\Bnmoijje.exe
    3⤵
    PID:5676
  - - C:\Windows\SysWOW64\Bdgged32.exe
      C:\Windows\system32\Bdgged32.exe
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        5⤵
        
        PID:5408
      - C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        6⤵
        
        PID:4612

C:\Windows\SysWOW64\Migjoaaf.exe
C:\Windows\system32\Migjoaaf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1860

C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
1⤵
PID:6024
- C:\Windows\SysWOW64\Cagobalc.exe
  C:\Windows\system32\Cagobalc.exe
  2⤵
  PID:6072
- - C:\Windows\SysWOW64\Ffnknafg.exe
    C:\Windows\system32\Ffnknafg.exe
    3⤵
    PID:2300

C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
1⤵
PID:6112
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:5132

C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
1⤵
PID:5212
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\Cdhhdlid.exe
    C:\Windows\system32\Cdhhdlid.exe
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\Cffdpghg.exe
      C:\Windows\system32\Cffdpghg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5440

C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:5592
- - C:\Windows\SysWOW64\Dhfajjoj.exe
    C:\Windows\system32\Dhfajjoj.exe
    3⤵
    - Drops file in System32 directory
    PID:5664
  - - C:\Windows\SysWOW64\Djdmffnn.exe
      C:\Windows\system32\Djdmffnn.exe
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        5⤵
        
        PID:5816
      - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        6⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        7⤵
        
        PID:5936

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
1⤵
- Drops file in System32 directory
PID:6052
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5332
    - - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        5⤵
        
        PID:5456

C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
1⤵
PID:5584
- C:\Windows\SysWOW64\Dmjocp32.exe
  C:\Windows\system32\Dmjocp32.exe
  2⤵
  PID:5668
- - C:\Windows\SysWOW64\Deagdn32.exe
    C:\Windows\system32\Deagdn32.exe
    3⤵
    - Modifies registry class
    PID:5784

C:\Windows\SysWOW64\Eecdjmfi.exe
C:\Windows\system32\Eecdjmfi.exe
1⤵
PID:6012
- C:\Windows\SysWOW64\Egdqae32.exe
  C:\Windows\system32\Egdqae32.exe
  2⤵
  - Modifies registry class
  PID:6100

C:\Windows\SysWOW64\Eolhbc32.exe
C:\Windows\system32\Eolhbc32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5232
- C:\Windows\SysWOW64\Eefaomcg.exe
  C:\Windows\system32\Eefaomcg.exe
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\Ehdmlhcj.exe
    C:\Windows\system32\Ehdmlhcj.exe
    3⤵
    - Drops file in System32 directory
    PID:5544
  - - C:\Windows\SysWOW64\Eonehbjg.exe
      C:\Windows\system32\Eonehbjg.exe
      4⤵
      PID:5808
- - C:\Windows\SysWOW64\Gmfplibd.exe
    C:\Windows\system32\Gmfplibd.exe
    3⤵
    PID:392

C:\Windows\SysWOW64\Eehnem32.exe
C:\Windows\system32\Eehnem32.exe
1⤵
PID:5920
- C:\Windows\SysWOW64\Ehfjah32.exe
  C:\Windows\system32\Ehfjah32.exe
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\Eopbnbhd.exe
    C:\Windows\system32\Eopbnbhd.exe
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\Eaonjngh.exe
      C:\Windows\system32\Eaonjngh.exe
      4⤵
      PID:5484
    - - C:\Windows\SysWOW64\Eglgbdep.exe
        
        C:\Windows\system32\Eglgbdep.exe
        5⤵
        Drops file in System32 directory
        
        PID:5316
      - C:\Windows\SysWOW64\Emeoooml.exe
        
        C:\Windows\system32\Emeoooml.exe
        6⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Edpgli32.exe
        
        C:\Windows\system32\Edpgli32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ekiohclf.exe
        
        C:\Windows\system32\Ekiohclf.exe
        8⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Eachem32.exe
        
        C:\Windows\system32\Eachem32.exe
        9⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        10⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        11⤵
        
        PID:4436

C:\Windows\SysWOW64\Feocelll.exe
C:\Windows\system32\Feocelll.exe
1⤵
PID:5180
- C:\Windows\SysWOW64\Fgppmd32.exe
  C:\Windows\system32\Fgppmd32.exe
  2⤵
  PID:5868
- - C:\Windows\SysWOW64\Fnjhjn32.exe
    C:\Windows\system32\Fnjhjn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:6332
  - - C:\Windows\SysWOW64\Dakacjdb.exe
      C:\Windows\system32\Dakacjdb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6376
    - - C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        5⤵
        
        PID:6416
      - C:\Windows\SysWOW64\Djdflp32.exe
        
        C:\Windows\system32\Djdflp32.exe
        6⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Dpqodfij.exe
        
        C:\Windows\system32\Dpqodfij.exe
        7⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Dhhfedil.exe
        
        C:\Windows\system32\Dhhfedil.exe
        8⤵
        
        PID:6556
- C:\Windows\SysWOW64\Hbhboolf.exe
  C:\Windows\system32\Hbhboolf.exe
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\Hefnkkkj.exe
    C:\Windows\system32\Hefnkkkj.exe
    3⤵
    PID:5932
  - - C:\Windows\SysWOW64\Hmmfmhll.exe
      C:\Windows\system32\Hmmfmhll.exe
      4⤵
      PID:6468

C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
1⤵
PID:4676

C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
1⤵
PID:5988

C:\Windows\SysWOW64\Llgjjnlj.exe
C:\Windows\system32\Llgjjnlj.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1640

C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\Kmncnb32.exe
C:\Windows\system32\Kmncnb32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1660

C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:208

C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608

C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\Kfjhkjle.exe
C:\Windows\system32\Kfjhkjle.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
1⤵
PID:2720

C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Diicml32.exe
C:\Windows\system32\Diicml32.exe
1⤵
PID:6600
- C:\Windows\SysWOW64\Dapkni32.exe
  C:\Windows\system32\Dapkni32.exe
  2⤵
  PID:6644
- - C:\Windows\SysWOW64\Dcogje32.exe
    C:\Windows\system32\Dcogje32.exe
    3⤵
    PID:6688

C:\Windows\SysWOW64\Djhpgofm.exe
C:\Windows\system32\Djhpgofm.exe
1⤵
PID:6732
- C:\Windows\SysWOW64\Dmglcj32.exe
  C:\Windows\system32\Dmglcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6772
- - C:\Windows\SysWOW64\Dpehof32.exe
    C:\Windows\system32\Dpehof32.exe
    3⤵
    - Drops file in System32 directory
    PID:6816
  - - C:\Windows\SysWOW64\Dfoplpla.exe
      C:\Windows\system32\Dfoplpla.exe
      4⤵
      Drops file in System32 directory
      PID:6860
    - - C:\Windows\SysWOW64\Dmihij32.exe
        
        C:\Windows\system32\Dmihij32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6908
      - C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        6⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Dhomfc32.exe
        
        C:\Windows\system32\Dhomfc32.exe
        7⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        8⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Jgadgf32.exe
        
        C:\Windows\system32\Jgadgf32.exe
        9⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        10⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        11⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Jbiejoaj.exe
        
        C:\Windows\system32\Jbiejoaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Jibmgi32.exe
        
        C:\Windows\system32\Jibmgi32.exe
        13⤵
        Drops file in System32 directory
        
        PID:6204

C:\Windows\SysWOW64\Jkaicd32.exe
C:\Windows\system32\Jkaicd32.exe
1⤵
- Modifies registry class
PID:6256
- C:\Windows\SysWOW64\Jnpfop32.exe
  C:\Windows\system32\Jnpfop32.exe
  2⤵
  - Modifies registry class
  PID:6300
- - C:\Windows\SysWOW64\Kdinljnk.exe
    C:\Windows\system32\Kdinljnk.exe
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\Kkcfid32.exe
      C:\Windows\system32\Kkcfid32.exe
      4⤵
      PID:4456

C:\Windows\SysWOW64\Kbmoen32.exe
C:\Windows\system32\Kbmoen32.exe
1⤵
PID:6408
- C:\Windows\SysWOW64\Kiggbhda.exe
  C:\Windows\system32\Kiggbhda.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6480
- - C:\Windows\SysWOW64\Kgmcce32.exe
    C:\Windows\system32\Kgmcce32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6576
  - - C:\Windows\SysWOW64\Knflpoqf.exe
      C:\Windows\system32\Knflpoqf.exe
      4⤵
      Modifies registry class
      PID:6652

C:\Windows\SysWOW64\Kaehljpj.exe
C:\Windows\system32\Kaehljpj.exe
1⤵
- Modifies registry class
PID:6712
- C:\Windows\SysWOW64\Kilpmh32.exe
  C:\Windows\system32\Kilpmh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6804
- - C:\Windows\SysWOW64\Kjmmepfj.exe
    C:\Windows\system32\Kjmmepfj.exe
    3⤵
    - Modifies registry class
    PID:6836

C:\Windows\SysWOW64\Kbddfmgl.exe
C:\Windows\system32\Kbddfmgl.exe
1⤵
PID:6944
- C:\Windows\SysWOW64\Kinmcg32.exe
  C:\Windows\system32\Kinmcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7004
- - C:\Windows\SysWOW64\Kjpijpdg.exe
    C:\Windows\system32\Kjpijpdg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:7088
  - - C:\Windows\SysWOW64\Lajagj32.exe
      C:\Windows\system32\Lajagj32.exe
      4⤵
      Modifies registry class
      PID:7164
    - - C:\Windows\SysWOW64\Lgcjdd32.exe
        
        C:\Windows\system32\Lgcjdd32.exe
        5⤵
        
        PID:6156
      - C:\Windows\SysWOW64\Lbinam32.exe
        
        C:\Windows\system32\Lbinam32.exe
        6⤵
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        7⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        9⤵
        Drops file in System32 directory
        
        PID:5384

C:\Windows\SysWOW64\Lankbigo.exe
C:\Windows\system32\Lankbigo.exe
1⤵
- Drops file in System32 directory
PID:6352
- C:\Windows\SysWOW64\Lghcocol.exe
  C:\Windows\system32\Lghcocol.exe
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\Ljgpkonp.exe
    C:\Windows\system32\Ljgpkonp.exe
    3⤵
    PID:6552
  - - C:\Windows\SysWOW64\Lbngllob.exe
      C:\Windows\system32\Lbngllob.exe
      4⤵
      PID:6680

C:\Windows\SysWOW64\Lelchgne.exe
C:\Windows\system32\Lelchgne.exe
1⤵
- Drops file in System32 directory
PID:6764
- C:\Windows\SysWOW64\Llflea32.exe
  C:\Windows\system32\Llflea32.exe
  2⤵
  - Modifies registry class
  PID:6840
- - C:\Windows\SysWOW64\Lbpdblmo.exe
    C:\Windows\system32\Lbpdblmo.exe
    3⤵
    - Modifies registry class
    PID:6972
  - - C:\Windows\SysWOW64\Leopnglc.exe
      C:\Windows\system32\Leopnglc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies registry class
      PID:7072
    - - C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        5⤵
        
        PID:7148

C:\Windows\SysWOW64\Mbbagk32.exe
C:\Windows\system32\Mbbagk32.exe
1⤵
- Drops file in System32 directory
PID:6192
- C:\Windows\SysWOW64\Meamcg32.exe
  C:\Windows\system32\Meamcg32.exe
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\Mhoipb32.exe
    C:\Windows\system32\Mhoipb32.exe
    3⤵
    - Drops file in System32 directory
    PID:6444
  - - C:\Windows\SysWOW64\Nolgijpk.exe
      C:\Windows\system32\Nolgijpk.exe
      4⤵
      PID:6620

C:\Windows\SysWOW64\Ljkifn32.exe
C:\Windows\system32\Ljkifn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3108

C:\Windows\SysWOW64\Nhdlao32.exe
C:\Windows\system32\Nhdlao32.exe
1⤵
PID:6728
- C:\Windows\SysWOW64\Okchnk32.exe
  C:\Windows\system32\Okchnk32.exe
  2⤵
  - Modifies registry class
  PID:6932
- - C:\Windows\SysWOW64\Oidhlb32.exe
    C:\Windows\system32\Oidhlb32.exe
    3⤵
    - Drops file in System32 directory
    PID:7056

C:\Windows\SysWOW64\Olbdhn32.exe
C:\Windows\system32\Olbdhn32.exe
1⤵
- Modifies registry class
PID:4084
- C:\Windows\SysWOW64\Ooqqdi32.exe
  C:\Windows\system32\Ooqqdi32.exe
  2⤵
  PID:6284
- - C:\Windows\SysWOW64\Oaompd32.exe
    C:\Windows\system32\Oaompd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:324

C:\Windows\SysWOW64\Oekiqccc.exe
C:\Windows\system32\Oekiqccc.exe
1⤵
PID:6540
- C:\Windows\SysWOW64\Oldamm32.exe
  C:\Windows\system32\Oldamm32.exe
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\Oocmii32.exe
    C:\Windows\system32\Oocmii32.exe
    3⤵
    PID:7128

C:\Windows\SysWOW64\Oaajed32.exe
C:\Windows\system32\Oaajed32.exe
1⤵
PID:2568
- C:\Windows\SysWOW64\Oihagaji.exe
  C:\Windows\system32\Oihagaji.exe
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\Okjnnj32.exe
    C:\Windows\system32\Okjnnj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:7068
  - - C:\Windows\SysWOW64\Oadfkdgd.exe
      C:\Windows\system32\Oadfkdgd.exe
      4⤵
      PID:6636
    - - C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        5⤵
        
        PID:6396

C:\Windows\SysWOW64\Oklkdi32.exe
C:\Windows\system32\Oklkdi32.exe
1⤵
PID:6280
- C:\Windows\SysWOW64\Oafcqcea.exe
  C:\Windows\system32\Oafcqcea.exe
  2⤵
  PID:7192
- - C:\Windows\SysWOW64\Pllgnl32.exe
    C:\Windows\system32\Pllgnl32.exe
    3⤵
    - Drops file in System32 directory
    PID:7240
  - - C:\Windows\SysWOW64\Pcepkfld.exe
      C:\Windows\system32\Pcepkfld.exe
      4⤵
      Drops file in System32 directory
      PID:7280
    - - C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        5⤵
        
        PID:7324
      - C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        6⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Pefhlaie.exe
        
        C:\Windows\system32\Pefhlaie.exe
        7⤵
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\Plpqil32.exe
        
        C:\Windows\system32\Plpqil32.exe
        8⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Pcjiff32.exe
        
        C:\Windows\system32\Pcjiff32.exe
        9⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Phganm32.exe
        
        C:\Windows\system32\Phganm32.exe
        10⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        11⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        12⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Qadoba32.exe
        
        C:\Windows\system32\Qadoba32.exe
        13⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        14⤵
        Drops file in System32 directory
        
        PID:7708

C:\Windows\SysWOW64\Qkmdkgob.exe
C:\Windows\system32\Qkmdkgob.exe
1⤵
PID:7748
- C:\Windows\SysWOW64\Qcclld32.exe
  C:\Windows\system32\Qcclld32.exe
  2⤵
  PID:7788
- - C:\Windows\SysWOW64\Qebhhp32.exe
    C:\Windows\system32\Qebhhp32.exe
    3⤵
    PID:7844

C:\Windows\SysWOW64\Allpejfe.exe
C:\Windows\system32\Allpejfe.exe
1⤵
- Modifies registry class
PID:7884
- C:\Windows\SysWOW64\Aojlaeei.exe
  C:\Windows\system32\Aojlaeei.exe
  2⤵
  PID:7924

C:\Windows\SysWOW64\Aaiimadl.exe
C:\Windows\system32\Aaiimadl.exe
1⤵
PID:8000
- C:\Windows\SysWOW64\Ahcajk32.exe
  C:\Windows\system32\Ahcajk32.exe
  2⤵
  PID:8040
- - C:\Windows\SysWOW64\Aomifecf.exe
    C:\Windows\system32\Aomifecf.exe
    3⤵
    PID:8100
  - - C:\Windows\SysWOW64\Alqjpi32.exe
      C:\Windows\system32\Alqjpi32.exe
      4⤵
      Modifies registry class
      PID:8148
    - - C:\Windows\SysWOW64\Aoofle32.exe
        
        C:\Windows\system32\Aoofle32.exe
        5⤵
        Modifies registry class
        
        PID:7172

C:\Windows\SysWOW64\Ahgjejhd.exe
C:\Windows\system32\Ahgjejhd.exe
1⤵
PID:7220
- C:\Windows\SysWOW64\Aoabad32.exe
  C:\Windows\system32\Aoabad32.exe
  2⤵
  PID:7304
- - C:\Windows\SysWOW64\Afkknogn.exe
    C:\Windows\system32\Afkknogn.exe
    3⤵
    - Modifies registry class
    PID:7388
  - - C:\Windows\SysWOW64\Aodogdmn.exe
      C:\Windows\system32\Aodogdmn.exe
      4⤵
      Modifies registry class
      PID:7472

C:\Windows\SysWOW64\Bfngdn32.exe
C:\Windows\system32\Bfngdn32.exe
1⤵
- Drops file in System32 directory
PID:7528
- C:\Windows\SysWOW64\Bhldpj32.exe
  C:\Windows\system32\Bhldpj32.exe
  2⤵
  PID:7616
- - C:\Windows\SysWOW64\Boflmdkk.exe
    C:\Windows\system32\Boflmdkk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:7716
  - - C:\Windows\SysWOW64\Bbdhiojo.exe
      C:\Windows\system32\Bbdhiojo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:7796
    - - C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7892

C:\Windows\SysWOW64\Bohibc32.exe
C:\Windows\system32\Bohibc32.exe
1⤵
PID:8012
- C:\Windows\SysWOW64\Bfbaonae.exe
  C:\Windows\system32\Bfbaonae.exe
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\Bkoigdom.exe
    C:\Windows\system32\Bkoigdom.exe
    3⤵
    PID:1044
  - - C:\Windows\SysWOW64\Bcfahbpo.exe
      C:\Windows\system32\Bcfahbpo.exe
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\Bfendmoc.exe
        
        C:\Windows\system32\Bfendmoc.exe
        5⤵
        Modifies registry class
        
        PID:8140

C:\Windows\SysWOW64\Bhcjqinf.exe
C:\Windows\system32\Bhcjqinf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8176
- C:\Windows\SysWOW64\Bkafmd32.exe
  C:\Windows\system32\Bkafmd32.exe
  2⤵
  PID:7300
- - C:\Windows\SysWOW64\Bcinna32.exe
    C:\Windows\system32\Bcinna32.exe
    3⤵
    PID:7392

C:\Windows\SysWOW64\Cfigpm32.exe
C:\Windows\system32\Cfigpm32.exe
1⤵
PID:7520
- C:\Windows\SysWOW64\Cihclh32.exe
  C:\Windows\system32\Cihclh32.exe
  2⤵
  PID:7696
- - C:\Windows\SysWOW64\Cobkhb32.exe
    C:\Windows\system32\Cobkhb32.exe
    3⤵
    PID:7980

C:\Windows\SysWOW64\Cfldelik.exe
C:\Windows\system32\Cfldelik.exe
1⤵
PID:2948
- C:\Windows\SysWOW64\Cmflbf32.exe
  C:\Windows\system32\Cmflbf32.exe
  2⤵
  PID:1020
- - C:\Windows\SysWOW64\Ccpdoqgd.exe
    C:\Windows\system32\Ccpdoqgd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:8172
  - - C:\Windows\SysWOW64\Cjjlkk32.exe
      C:\Windows\system32\Cjjlkk32.exe
      4⤵
      PID:7256
    - - C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        5⤵
        Drops file in System32 directory
        
        PID:7508

C:\Windows\SysWOW64\Cfqmpl32.exe
C:\Windows\system32\Cfqmpl32.exe
1⤵
- Drops file in System32 directory
PID:7640
- C:\Windows\SysWOW64\Cioilg32.exe
  C:\Windows\system32\Cioilg32.exe
  2⤵
  - Drops file in System32 directory
  PID:7932
- - C:\Windows\SysWOW64\Coiaiakf.exe
    C:\Windows\system32\Coiaiakf.exe
    3⤵
    PID:8048
  - - C:\Windows\SysWOW64\Cjnffjkl.exe
      C:\Windows\system32\Cjnffjkl.exe
      4⤵
      Drops file in System32 directory
      PID:7224
    - - C:\Windows\SysWOW64\Cmmbbejp.exe
        
        C:\Windows\system32\Cmmbbejp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7732
      - C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        6⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        7⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        8⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Dpnkdq32.exe
        
        C:\Windows\system32\Dpnkdq32.exe
        9⤵
        
        PID:8116

C:\Windows\SysWOW64\Dblgpl32.exe
C:\Windows\system32\Dblgpl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7356
- C:\Windows\SysWOW64\Djcoai32.exe
  C:\Windows\system32\Djcoai32.exe
  2⤵
  - Drops file in System32 directory
  PID:8128
- - C:\Windows\SysWOW64\Dkdliame.exe
    C:\Windows\system32\Dkdliame.exe
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\Dckdjomg.exe
      C:\Windows\system32\Dckdjomg.exe
      4⤵
      PID:8212

C:\Windows\SysWOW64\Djelgied.exe
C:\Windows\system32\Djelgied.exe
1⤵
- Modifies registry class
PID:8252
- C:\Windows\SysWOW64\Dmdhcddh.exe
  C:\Windows\system32\Dmdhcddh.exe
  2⤵
  PID:8300

C:\Windows\SysWOW64\Dcnqpo32.exe
C:\Windows\system32\Dcnqpo32.exe
1⤵
PID:8336
- C:\Windows\SysWOW64\Djhimica.exe
  C:\Windows\system32\Djhimica.exe
  2⤵
  PID:8384
- - C:\Windows\SysWOW64\Dmfeidbe.exe
    C:\Windows\system32\Dmfeidbe.exe
    3⤵
    PID:8424
  - - C:\Windows\SysWOW64\Dlieda32.exe
      C:\Windows\system32\Dlieda32.exe
      4⤵
      PID:8468

C:\Windows\SysWOW64\Dcpmen32.exe
C:\Windows\system32\Dcpmen32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:8512
- C:\Windows\SysWOW64\Dfoiaj32.exe
  C:\Windows\system32\Dfoiaj32.exe
  2⤵
  - Drops file in System32 directory
  PID:8556

C:\Windows\SysWOW64\Dimenegi.exe
C:\Windows\system32\Dimenegi.exe
1⤵
PID:8596
- C:\Windows\SysWOW64\Dlkbjqgm.exe
  C:\Windows\system32\Dlkbjqgm.exe
  2⤵
  PID:8644
- - C:\Windows\SysWOW64\Ecbjkngo.exe
    C:\Windows\system32\Ecbjkngo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:8676

C:\Windows\SysWOW64\Eiobceef.exe
C:\Windows\system32\Eiobceef.exe
1⤵
PID:8764
- C:\Windows\SysWOW64\Elnoopdj.exe
  C:\Windows\system32\Elnoopdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:8804
- - C:\Windows\SysWOW64\Ecefqnel.exe
    C:\Windows\system32\Ecefqnel.exe
    3⤵
    PID:8852
  - - C:\Windows\SysWOW64\Ejoomhmi.exe
      C:\Windows\system32\Ejoomhmi.exe
      4⤵
      PID:8892

C:\Windows\SysWOW64\Emmkiclm.exe
C:\Windows\system32\Emmkiclm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8936
- C:\Windows\SysWOW64\Ecgcfm32.exe
  C:\Windows\system32\Ecgcfm32.exe
  2⤵
  PID:8976
- - C:\Windows\SysWOW64\Ejalcgkg.exe
    C:\Windows\system32\Ejalcgkg.exe
    3⤵
    - Drops file in System32 directory
    PID:9020

C:\Windows\SysWOW64\Eidlnd32.exe
C:\Windows\system32\Eidlnd32.exe
1⤵
PID:9060
- C:\Windows\SysWOW64\Eciplm32.exe
  C:\Windows\system32\Eciplm32.exe
  2⤵
  - Drops file in System32 directory
  PID:9108
- - C:\Windows\SysWOW64\Ejchhgid.exe
    C:\Windows\system32\Ejchhgid.exe
    3⤵
    PID:9156

C:\Windows\SysWOW64\Embddb32.exe
C:\Windows\system32\Embddb32.exe
1⤵
PID:9192
- C:\Windows\SysWOW64\Eclmamod.exe
  C:\Windows\system32\Eclmamod.exe
  2⤵
  - Drops file in System32 directory
  PID:8236
- - C:\Windows\SysWOW64\Efjimhnh.exe
    C:\Windows\system32\Efjimhnh.exe
    3⤵
    PID:8296
  - - C:\Windows\SysWOW64\Flqdlnde.exe
      C:\Windows\system32\Flqdlnde.exe
      4⤵
      PID:8372
    - - C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        5⤵
        
        PID:8452
      - C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        6⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        7⤵
        
        PID:2648

C:\Windows\SysWOW64\Efafgifc.exe
C:\Windows\system32\Efafgifc.exe
1⤵
- Modifies registry class
PID:8724

C:\Windows\SysWOW64\Gbmingjo.exe
C:\Windows\system32\Gbmingjo.exe
1⤵
PID:8716
- C:\Windows\SysWOW64\Gjdaodja.exe
  C:\Windows\system32\Gjdaodja.exe
  2⤵
  - Drops file in System32 directory
  PID:8792
- - C:\Windows\SysWOW64\Glengm32.exe
    C:\Windows\system32\Glengm32.exe
    3⤵
    - Modifies registry class
    PID:8836
  - - C:\Windows\SysWOW64\Gbofcghl.exe
      C:\Windows\system32\Gbofcghl.exe
      4⤵
      PID:8908

C:\Windows\SysWOW64\Gfkbde32.exe
C:\Windows\system32\Gfkbde32.exe
1⤵
PID:8988
- C:\Windows\SysWOW64\Giinpa32.exe
  C:\Windows\system32\Giinpa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:9052

C:\Windows\SysWOW64\Glgjlm32.exe
C:\Windows\system32\Glgjlm32.exe
1⤵
- Drops file in System32 directory
PID:9136
- C:\Windows\SysWOW64\Gdobnj32.exe
  C:\Windows\system32\Gdobnj32.exe
  2⤵
  PID:9096
- - C:\Windows\SysWOW64\Gfmojenc.exe
    C:\Windows\system32\Gfmojenc.exe
    3⤵
    PID:8260

C:\Windows\SysWOW64\Gikkfqmf.exe
C:\Windows\system32\Gikkfqmf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8356
- C:\Windows\SysWOW64\Gljgbllj.exe
  C:\Windows\system32\Gljgbllj.exe
  2⤵
  PID:8448

C:\Windows\SysWOW64\Gdaociml.exe
C:\Windows\system32\Gdaociml.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8544
- C:\Windows\SysWOW64\Gfokoelp.exe
  C:\Windows\system32\Gfokoelp.exe
  2⤵
  PID:8704
- - C:\Windows\SysWOW64\Gingkqkd.exe
    C:\Windows\system32\Gingkqkd.exe
    3⤵
    - Modifies registry class
    PID:8848

C:\Windows\SysWOW64\Glldgljg.exe
C:\Windows\system32\Glldgljg.exe
1⤵
- Drops file in System32 directory
PID:8924
- C:\Windows\SysWOW64\Gdcliikj.exe
  C:\Windows\system32\Gdcliikj.exe
  2⤵
  PID:9044
- - C:\Windows\SysWOW64\Gkmdecbg.exe
    C:\Windows\system32\Gkmdecbg.exe
    3⤵
    PID:9204

C:\Windows\SysWOW64\Hloqml32.exe
C:\Windows\system32\Hloqml32.exe
1⤵
- Drops file in System32 directory
PID:8284
- C:\Windows\SysWOW64\Hdehni32.exe
  C:\Windows\system32\Hdehni32.exe
  2⤵
  PID:8432

C:\Windows\SysWOW64\Hbhijepa.exe
C:\Windows\system32\Hbhijepa.exe
1⤵
PID:8624
- C:\Windows\SysWOW64\Hkpqkcpd.exe
  C:\Windows\system32\Hkpqkcpd.exe
  2⤵
  - Modifies registry class
  PID:8708
- - C:\Windows\SysWOW64\Hplicjok.exe
    C:\Windows\system32\Hplicjok.exe
    3⤵
    - Modifies registry class
    PID:8964
  - - C:\Windows\SysWOW64\Hgfapd32.exe
      C:\Windows\system32\Hgfapd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:9132
    - - C:\Windows\SysWOW64\Hkbmqb32.exe
        
        C:\Windows\system32\Hkbmqb32.exe
        5⤵
        Modifies registry class
        
        PID:8248
      - C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        6⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8900
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9200
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        9⤵
        
        PID:8540

C:\Windows\SysWOW64\Hdmoohbo.exe
C:\Windows\system32\Hdmoohbo.exe
1⤵
PID:9148
- C:\Windows\SysWOW64\Hkfglb32.exe
  C:\Windows\system32\Hkfglb32.exe
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\Hmechmip.exe
    C:\Windows\system32\Hmechmip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9116
  - - C:\Windows\SysWOW64\Hdokdg32.exe
      C:\Windows\system32\Hdokdg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:1032
    - - C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        5⤵
        
        PID:9232
      - C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        6⤵
        Modifies registry class
        
        PID:9272
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        7⤵
        Drops file in System32 directory
        
        PID:9320
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        8⤵
        Modifies registry class
        
        PID:9364
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9404
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        10⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9488

C:\Windows\SysWOW64\Ipjedh32.exe
C:\Windows\system32\Ipjedh32.exe
1⤵
PID:9528
- C:\Windows\SysWOW64\Idfaefkd.exe
  C:\Windows\system32\Idfaefkd.exe
  2⤵
  PID:9568
- - C:\Windows\SysWOW64\Ikpjbq32.exe
    C:\Windows\system32\Ikpjbq32.exe
    3⤵
    PID:9612

C:\Windows\SysWOW64\Ipmbjgpi.exe
C:\Windows\system32\Ipmbjgpi.exe
1⤵
- Modifies registry class
PID:9652
- C:\Windows\SysWOW64\Icknfcol.exe
  C:\Windows\system32\Icknfcol.exe
  2⤵
  PID:9708
- - C:\Windows\SysWOW64\Inqbclob.exe
    C:\Windows\system32\Inqbclob.exe
    3⤵
    PID:9748
  - - C:\Windows\SysWOW64\Igigla32.exe
      C:\Windows\system32\Igigla32.exe
      4⤵
      PID:9808
    - - C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        5⤵
        
        PID:9848
      - C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        6⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        7⤵
        
        PID:9936

C:\Windows\SysWOW64\Jgkdbacp.exe
C:\Windows\system32\Jgkdbacp.exe
1⤵
PID:9980
- C:\Windows\SysWOW64\Jjjpnlbd.exe
  C:\Windows\system32\Jjjpnlbd.exe
  2⤵
  PID:10024
- - C:\Windows\SysWOW64\Jpdhkf32.exe
    C:\Windows\system32\Jpdhkf32.exe
    3⤵
    PID:10072

C:\Windows\SysWOW64\Jcbdgb32.exe
C:\Windows\system32\Jcbdgb32.exe
1⤵
PID:10112
- C:\Windows\SysWOW64\Jkimho32.exe
  C:\Windows\system32\Jkimho32.exe
  2⤵
  PID:10160
- - C:\Windows\SysWOW64\Jnhidk32.exe
    C:\Windows\system32\Jnhidk32.exe
    3⤵
    PID:10204

C:\Windows\SysWOW64\Jpfepf32.exe
C:\Windows\system32\Jpfepf32.exe
1⤵
PID:9104
- C:\Windows\SysWOW64\Jgpmmp32.exe
  C:\Windows\system32\Jgpmmp32.exe
  2⤵
  PID:9288
- - C:\Windows\SysWOW64\Jjoiil32.exe
    C:\Windows\system32\Jjoiil32.exe
    3⤵
    PID:9372
  - - C:\Windows\SysWOW64\Jqhafffk.exe
      C:\Windows\system32\Jqhafffk.exe
      4⤵
      PID:9420

C:\Windows\SysWOW64\Jcgnbaeo.exe
C:\Windows\system32\Jcgnbaeo.exe
1⤵
PID:9520
- C:\Windows\SysWOW64\Jdfjld32.exe
  C:\Windows\system32\Jdfjld32.exe
  2⤵
  PID:9592

C:\Windows\SysWOW64\Kglmio32.exe
C:\Windows\system32\Kglmio32.exe
1⤵
PID:10040
- C:\Windows\SysWOW64\Kjmfjj32.exe
  C:\Windows\system32\Kjmfjj32.exe
  2⤵
  PID:10144
- - C:\Windows\SysWOW64\Kdbjhbbd.exe
    C:\Windows\system32\Kdbjhbbd.exe
    3⤵
    PID:10228

C:\Windows\SysWOW64\Lqikmc32.exe
C:\Windows\system32\Lqikmc32.exe
1⤵
PID:9312
- C:\Windows\SysWOW64\Lnmkfh32.exe
  C:\Windows\system32\Lnmkfh32.exe
  2⤵
  PID:8668
- - C:\Windows\SysWOW64\Lcjcnoej.exe
    C:\Windows\system32\Lcjcnoej.exe
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\Lnohlgep.exe
      C:\Windows\system32\Lnohlgep.exe
      4⤵
      PID:9508

C:\Windows\SysWOW64\Ldipha32.exe
C:\Windows\system32\Ldipha32.exe
1⤵
PID:9604
- C:\Windows\SysWOW64\Lmdemd32.exe
  C:\Windows\system32\Lmdemd32.exe
  2⤵
  PID:4852

C:\Windows\SysWOW64\Lndagg32.exe
C:\Windows\system32\Lndagg32.exe
1⤵
PID:9840
- C:\Windows\SysWOW64\Mcqjon32.exe
  C:\Windows\system32\Mcqjon32.exe
  2⤵
  PID:9876

C:\Windows\SysWOW64\Mccfdmmo.exe
C:\Windows\system32\Mccfdmmo.exe
1⤵
PID:9956
- C:\Windows\SysWOW64\Maggnali.exe
  C:\Windows\system32\Maggnali.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Mcecjmkl.exe
    C:\Windows\system32\Mcecjmkl.exe
    3⤵
    PID:4640

C:\Windows\SysWOW64\Mnmdme32.exe
C:\Windows\system32\Mnmdme32.exe
1⤵
PID:10200
- C:\Windows\SysWOW64\Mnpabe32.exe
  C:\Windows\system32\Mnpabe32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Nclikl32.exe
    C:\Windows\system32\Nclikl32.exe
    3⤵
    PID:3908

C:\Windows\SysWOW64\Njfagf32.exe
C:\Windows\system32\Njfagf32.exe
1⤵
PID:1388
- C:\Windows\SysWOW64\Nmenca32.exe
  C:\Windows\system32\Nmenca32.exe
  2⤵
  PID:9480
- - C:\Windows\SysWOW64\Nelfeo32.exe
    C:\Windows\system32\Nelfeo32.exe
    3⤵
    PID:4988

C:\Windows\SysWOW64\Ngjbaj32.exe
C:\Windows\system32\Ngjbaj32.exe
1⤵
PID:9552
- C:\Windows\SysWOW64\Ncabfkqo.exe
  C:\Windows\system32\Ncabfkqo.exe
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\Nnfgcd32.exe
    C:\Windows\system32\Nnfgcd32.exe
    3⤵
    PID:3172
  - - C:\Windows\SysWOW64\Naecop32.exe
      C:\Windows\system32\Naecop32.exe
      4⤵
      PID:1068

C:\Windows\SysWOW64\Nccokk32.exe
C:\Windows\system32\Nccokk32.exe
1⤵
PID:3060
- C:\Windows\SysWOW64\Nnicid32.exe
  C:\Windows\system32\Nnicid32.exe
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\Nagpeo32.exe
    C:\Windows\system32\Nagpeo32.exe
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\Ndflak32.exe
      C:\Windows\system32\Ndflak32.exe
      4⤵
      PID:5004

C:\Windows\SysWOW64\Nhahaiec.exe
C:\Windows\system32\Nhahaiec.exe
1⤵
PID:10140
- C:\Windows\SysWOW64\Njpdnedf.exe
  C:\Windows\system32\Njpdnedf.exe
  2⤵
  PID:10236

C:\Windows\SysWOW64\Nmnqjp32.exe
C:\Windows\system32\Nmnqjp32.exe
1⤵
PID:2148
- C:\Windows\SysWOW64\Oeehkn32.exe
  C:\Windows\system32\Oeehkn32.exe
  2⤵
  PID:9356
- - C:\Windows\SysWOW64\Omqmop32.exe
    C:\Windows\system32\Omqmop32.exe
    3⤵
    PID:2136

C:\Windows\SysWOW64\Phodcg32.exe
C:\Windows\system32\Phodcg32.exe
1⤵
PID:9696
- C:\Windows\SysWOW64\Pknqoc32.exe
  C:\Windows\system32\Pknqoc32.exe
  2⤵
  PID:3960

C:\Windows\SysWOW64\Pmlmkn32.exe
C:\Windows\system32\Pmlmkn32.exe
1⤵
PID:3184
- C:\Windows\SysWOW64\Pkpmdbfd.exe
  C:\Windows\system32\Pkpmdbfd.exe
  2⤵
  PID:3640

C:\Windows\SysWOW64\Pmoiqneg.exe
C:\Windows\system32\Pmoiqneg.exe
1⤵
PID:2920
- C:\Windows\SysWOW64\Pajeam32.exe
  C:\Windows\system32\Pajeam32.exe
  2⤵
  PID:2756

C:\Windows\SysWOW64\Pdmkhgho.exe
C:\Windows\system32\Pdmkhgho.exe
1⤵
PID:10212
- C:\Windows\SysWOW64\Pldcjeia.exe
  C:\Windows\system32\Pldcjeia.exe
  2⤵
  PID:8736

C:\Windows\SysWOW64\Pocpfphe.exe
C:\Windows\system32\Pocpfphe.exe
1⤵
PID:2196
- C:\Windows\SysWOW64\Qmepam32.exe
  C:\Windows\system32\Qmepam32.exe
  2⤵
  - Executes dropped EXE
  PID:820

C:\Windows\SysWOW64\Aojefobm.exe
C:\Windows\system32\Aojefobm.exe
1⤵
- Executes dropped EXE
PID:3332
- C:\Windows\SysWOW64\Adfnofpd.exe
  C:\Windows\system32\Adfnofpd.exe
  2⤵
  PID:4080

C:\Windows\SysWOW64\Akepfpcl.exe
C:\Windows\system32\Akepfpcl.exe
1⤵
PID:3152
- C:\Windows\SysWOW64\Aaohcj32.exe
  C:\Windows\system32\Aaohcj32.exe
  2⤵
  PID:2864

C:\Windows\SysWOW64\Akglloai.exe
C:\Windows\system32\Akglloai.exe
1⤵
PID:3788
- C:\Windows\SysWOW64\Baadiiif.exe
  C:\Windows\system32\Baadiiif.exe
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\Bhkmec32.exe
    C:\Windows\system32\Bhkmec32.exe
    3⤵
    PID:3092

C:\Windows\SysWOW64\Bnhenj32.exe
C:\Windows\system32\Bnhenj32.exe
1⤵
PID:5228
- C:\Windows\SysWOW64\Bepmoh32.exe
  C:\Windows\system32\Bepmoh32.exe
  2⤵
  PID:5768

C:\Windows\SysWOW64\Bdbnjdfg.exe
C:\Windows\system32\Bdbnjdfg.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4628
- C:\Windows\SysWOW64\Blielbfi.exe
  C:\Windows\system32\Blielbfi.exe
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\Bohbhmfm.exe
    C:\Windows\system32\Bohbhmfm.exe
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\Bafndi32.exe
      C:\Windows\system32\Bafndi32.exe
      4⤵
      Executes dropped EXE
      PID:4784

C:\Windows\SysWOW64\Bkjiao32.exe
C:\Windows\system32\Bkjiao32.exe
1⤵
PID:2004

C:\Windows\SysWOW64\Bakgoh32.exe
C:\Windows\system32\Bakgoh32.exe
1⤵
PID:3660
- C:\Windows\SysWOW64\Bdickcpo.exe
  C:\Windows\system32\Bdickcpo.exe
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\Blqllqqa.exe
    C:\Windows\system32\Blqllqqa.exe
    3⤵
    PID:3120

C:\Windows\SysWOW64\Coohhlpe.exe
C:\Windows\system32\Coohhlpe.exe
1⤵
- Executes dropped EXE
PID:2380
- C:\Windows\SysWOW64\Camddhoi.exe
  C:\Windows\system32\Camddhoi.exe
  2⤵
  PID:5728

C:\Windows\SysWOW64\Cdlqqcnl.exe
C:\Windows\system32\Cdlqqcnl.exe
1⤵
PID:2524
- C:\Windows\SysWOW64\Clchbqoo.exe
  C:\Windows\system32\Clchbqoo.exe
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\Cndeii32.exe
    C:\Windows\system32\Cndeii32.exe
    3⤵
    PID:2308

C:\Windows\SysWOW64\Cfkmkf32.exe
C:\Windows\system32\Cfkmkf32.exe
1⤵
PID:5476
- C:\Windows\SysWOW64\Chiigadc.exe
  C:\Windows\system32\Chiigadc.exe
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\Ckhecmcf.exe
    C:\Windows\system32\Ckhecmcf.exe
    3⤵
    PID:384

C:\Windows\SysWOW64\Cnfaohbj.exe
C:\Windows\system32\Cnfaohbj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\Cdpjlb32.exe
  C:\Windows\system32\Cdpjlb32.exe
  2⤵
  PID:5856
- - C:\Windows\SysWOW64\Cofnik32.exe
    C:\Windows\system32\Cofnik32.exe
    3⤵
    PID:5656
  - - C:\Windows\SysWOW64\Cbdjeg32.exe
      C:\Windows\system32\Cbdjeg32.exe
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988

C:\Windows\SysWOW64\Dbbffdlq.exe
C:\Windows\system32\Dbbffdlq.exe
1⤵
PID:6084
- C:\Windows\SysWOW64\Eofgpikj.exe
  C:\Windows\system32\Eofgpikj.exe
  2⤵
  PID:5740

C:\Windows\SysWOW64\Eicedn32.exe
C:\Windows\system32\Eicedn32.exe
1⤵
PID:724
- C:\Windows\SysWOW64\Epmmqheb.exe
  C:\Windows\system32\Epmmqheb.exe
  2⤵
  PID:5940

C:\Windows\SysWOW64\Fmhdkknd.exe
C:\Windows\system32\Fmhdkknd.exe
1⤵
PID:2008
- C:\Windows\SysWOW64\Fpgpgfmh.exe
  C:\Windows\system32\Fpgpgfmh.exe
  2⤵
  PID:5448

C:\Windows\SysWOW64\Fbelcblk.exe
C:\Windows\system32\Fbelcblk.exe
1⤵
PID:5632
- C:\Windows\SysWOW64\Ffceip32.exe
  C:\Windows\system32\Ffceip32.exe
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\Fpkibf32.exe
    C:\Windows\system32\Fpkibf32.exe
    3⤵
    PID:5680
  - - C:\Windows\SysWOW64\Gmojkj32.exe
      C:\Windows\system32\Gmojkj32.exe
      4⤵
      PID:6216

C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988
- C:\Windows\SysWOW64\Gfhndpol.exe
  C:\Windows\system32\Gfhndpol.exe
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\Gifkpknp.exe
    C:\Windows\system32\Gifkpknp.exe
    3⤵
    PID:4560

C:\Windows\SysWOW64\Gldglf32.exe
C:\Windows\system32\Gldglf32.exe
1⤵
PID:7968
- C:\Windows\SysWOW64\Gncchb32.exe
  C:\Windows\system32\Gncchb32.exe
  2⤵
  - Drops file in System32 directory
  PID:5584
- - C:\Windows\SysWOW64\Gemkelcd.exe
    C:\Windows\system32\Gemkelcd.exe
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\Gmdcfidg.exe
      C:\Windows\system32\Gmdcfidg.exe
      4⤵
      PID:5148

C:\Windows\SysWOW64\Gnepna32.exe
C:\Windows\system32\Gnepna32.exe
1⤵
PID:5468
- C:\Windows\SysWOW64\Geohklaa.exe
  C:\Windows\system32\Geohklaa.exe
  2⤵
  PID:5420

C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
1⤵
PID:5212
- C:\Windows\SysWOW64\Gbchdp32.exe
  C:\Windows\system32\Gbchdp32.exe
  2⤵
  PID:5736

C:\Windows\SysWOW64\Geaepk32.exe
C:\Windows\system32\Geaepk32.exe
1⤵
PID:5460
- C:\Windows\SysWOW64\Gmimai32.exe
  C:\Windows\system32\Gmimai32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:5180

C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
1⤵
PID:5296
- C:\Windows\SysWOW64\Hoobdp32.exe
  C:\Windows\system32\Hoobdp32.exe
  2⤵
  PID:6020

C:\Windows\SysWOW64\Hffken32.exe
C:\Windows\system32\Hffken32.exe
1⤵
PID:6012
- C:\Windows\SysWOW64\Hidgai32.exe
  C:\Windows\system32\Hidgai32.exe
  2⤵
  PID:5272
- - C:\Windows\SysWOW64\Hmpcbhji.exe
    C:\Windows\system32\Hmpcbhji.exe
    3⤵
    PID:5208

C:\Windows\SysWOW64\Hpnoncim.exe
C:\Windows\system32\Hpnoncim.exe
1⤵
PID:1724
- C:\Windows\SysWOW64\Hblkjo32.exe
  C:\Windows\system32\Hblkjo32.exe
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\Hekgfj32.exe
    C:\Windows\system32\Hekgfj32.exe
    3⤵
    - Modifies registry class
    PID:5576

C:\Windows\SysWOW64\Hoclopne.exe
C:\Windows\system32\Hoclopne.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172
- C:\Windows\SysWOW64\Hfjdqmng.exe
  C:\Windows\system32\Hfjdqmng.exe
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\Hiipmhmk.exe
    C:\Windows\system32\Hiipmhmk.exe
    3⤵
    PID:10148

C:\Windows\SysWOW64\Hlglidlo.exe
C:\Windows\system32\Hlglidlo.exe
1⤵
PID:5340
- C:\Windows\SysWOW64\Hoeieolb.exe
  C:\Windows\system32\Hoeieolb.exe
  2⤵
  PID:5288
- - C:\Windows\SysWOW64\Ifmqfm32.exe
    C:\Windows\system32\Ifmqfm32.exe
    3⤵
    PID:6140

C:\Windows\SysWOW64\Iikmbh32.exe
C:\Windows\system32\Iikmbh32.exe
1⤵
PID:6004
- C:\Windows\SysWOW64\Ipeeobbe.exe
  C:\Windows\system32\Ipeeobbe.exe
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\Ibcaknbi.exe
    C:\Windows\system32\Ibcaknbi.exe
    3⤵
    PID:6036

C:\Windows\SysWOW64\Iebngial.exe
C:\Windows\system32\Iebngial.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5304
- C:\Windows\SysWOW64\Imiehfao.exe
  C:\Windows\system32\Imiehfao.exe
  2⤵
  PID:5256

C:\Windows\SysWOW64\Illfdc32.exe
C:\Windows\system32\Illfdc32.exe
1⤵
PID:5884
- C:\Windows\SysWOW64\Iojbpo32.exe
  C:\Windows\system32\Iojbpo32.exe
  2⤵
  PID:10068
- - C:\Windows\SysWOW64\Igajal32.exe
    C:\Windows\system32\Igajal32.exe
    3⤵
    - Executes dropped EXE
    PID:4760

C:\Windows\SysWOW64\Igdgglfl.exe
C:\Windows\system32\Igdgglfl.exe
1⤵
PID:5400
- C:\Windows\SysWOW64\Iibccgep.exe
  C:\Windows\system32\Iibccgep.exe
  2⤵
  PID:7828
- - C:\Windows\SysWOW64\Iplkpa32.exe
    C:\Windows\system32\Iplkpa32.exe
    3⤵
    PID:10248

C:\Windows\SysWOW64\Ickglm32.exe
C:\Windows\system32\Ickglm32.exe
1⤵
PID:10288
- C:\Windows\SysWOW64\Ieidhh32.exe
  C:\Windows\system32\Ieidhh32.exe
  2⤵
  PID:10328
- - C:\Windows\SysWOW64\Iidphgcn.exe
    C:\Windows\system32\Iidphgcn.exe
    3⤵
    PID:10368

C:\Windows\SysWOW64\Ilcldb32.exe
C:\Windows\system32\Ilcldb32.exe
1⤵
PID:10412
- C:\Windows\SysWOW64\Joahqn32.exe
  C:\Windows\system32\Joahqn32.exe
  2⤵
  PID:10452

C:\Windows\SysWOW64\Jghpbk32.exe
C:\Windows\system32\Jghpbk32.exe
1⤵
PID:10492
- C:\Windows\SysWOW64\Jiglnf32.exe
  C:\Windows\system32\Jiglnf32.exe
  2⤵
  PID:10532

C:\Windows\SysWOW64\Jmbhoeid.exe
C:\Windows\system32\Jmbhoeid.exe
1⤵
PID:10572
- C:\Windows\SysWOW64\Jpaekqhh.exe
  C:\Windows\system32\Jpaekqhh.exe
  2⤵
  PID:10608

C:\Windows\SysWOW64\Jcoaglhk.exe
C:\Windows\system32\Jcoaglhk.exe
1⤵
PID:10652
- C:\Windows\SysWOW64\Jiiicf32.exe
  C:\Windows\system32\Jiiicf32.exe
  2⤵
  PID:10700

C:\Windows\SysWOW64\Jlgepanl.exe
C:\Windows\system32\Jlgepanl.exe
1⤵
PID:10744
- C:\Windows\SysWOW64\Jofalmmp.exe
  C:\Windows\system32\Jofalmmp.exe
  2⤵
  PID:10788

C:\Windows\SysWOW64\Jepjhg32.exe
C:\Windows\system32\Jepjhg32.exe
1⤵
PID:10868
- C:\Windows\SysWOW64\Jngbjd32.exe
  C:\Windows\system32\Jngbjd32.exe
  2⤵
  PID:10912
- - C:\Windows\SysWOW64\Jpenfp32.exe
    C:\Windows\system32\Jpenfp32.exe
    3⤵
    PID:10960
  - - C:\Windows\SysWOW64\Jgpfbjlo.exe
      C:\Windows\system32\Jgpfbjlo.exe
      4⤵
      PID:11000

C:\Windows\SysWOW64\Jinboekc.exe
C:\Windows\system32\Jinboekc.exe
1⤵
PID:11048
- C:\Windows\SysWOW64\Jllokajf.exe
  C:\Windows\system32\Jllokajf.exe
  2⤵
  PID:11096
- - C:\Windows\SysWOW64\Jcfggkac.exe
    C:\Windows\system32\Jcfggkac.exe
    3⤵
    PID:11136

C:\Windows\SysWOW64\Jedccfqg.exe
C:\Windows\system32\Jedccfqg.exe
1⤵
PID:11176
- C:\Windows\SysWOW64\Komhll32.exe
  C:\Windows\system32\Komhll32.exe
  2⤵
  PID:11220
- - C:\Windows\SysWOW64\Kegpifod.exe
    C:\Windows\system32\Kegpifod.exe
    3⤵
    PID:10244
  - - C:\Windows\SysWOW64\Kpmdfonj.exe
      C:\Windows\system32\Kpmdfonj.exe
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        5⤵
        
        PID:10340
      - C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        6⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        7⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        8⤵
        
        PID:10584

C:\Windows\SysWOW64\Kncaec32.exe
C:\Windows\system32\Kncaec32.exe
1⤵
PID:3600
- C:\Windows\SysWOW64\Kpanan32.exe
  C:\Windows\system32\Kpanan32.exe
  2⤵
  PID:10692

C:\Windows\SysWOW64\Kcpjnjii.exe
C:\Windows\system32\Kcpjnjii.exe
1⤵
PID:10740
- C:\Windows\SysWOW64\Kfnfjehl.exe
  C:\Windows\system32\Kfnfjehl.exe
  2⤵
  PID:10816

C:\Windows\SysWOW64\Knenkbio.exe
C:\Windows\system32\Knenkbio.exe
1⤵
PID:10876
- C:\Windows\SysWOW64\Kpcjgnhb.exe
  C:\Windows\system32\Kpcjgnhb.exe
  2⤵
  PID:10940
- - C:\Windows\SysWOW64\Kcbfcigf.exe
    C:\Windows\system32\Kcbfcigf.exe
    3⤵
    PID:10992
  - - C:\Windows\SysWOW64\Kjlopc32.exe
      C:\Windows\system32\Kjlopc32.exe
      4⤵
      PID:11084
    - - C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        5⤵
        
        PID:11116

C:\Windows\SysWOW64\Loighj32.exe
C:\Windows\system32\Loighj32.exe
1⤵
PID:11196
- C:\Windows\SysWOW64\Lgpoihnl.exe
  C:\Windows\system32\Lgpoihnl.exe
  2⤵
  PID:11260
- - C:\Windows\SysWOW64\Ljnlecmp.exe
    C:\Windows\system32\Ljnlecmp.exe
    3⤵
    PID:10312

C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
1⤵
PID:10436
- C:\Windows\SysWOW64\Lcgpni32.exe
  C:\Windows\system32\Lcgpni32.exe
  2⤵
  PID:10528
- - C:\Windows\SysWOW64\Lfeljd32.exe
    C:\Windows\system32\Lfeljd32.exe
    3⤵
    PID:9868

C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
1⤵
PID:756
- C:\Windows\SysWOW64\Llodgnja.exe
  C:\Windows\system32\Llodgnja.exe
  2⤵
  PID:10724

C:\Windows\SysWOW64\Lomqcjie.exe
C:\Windows\system32\Lomqcjie.exe
1⤵
PID:10812
- C:\Windows\SysWOW64\Lgdidgjg.exe
  C:\Windows\system32\Lgdidgjg.exe
  2⤵
  PID:10924
- - C:\Windows\SysWOW64\Ljceqb32.exe
    C:\Windows\system32\Ljceqb32.exe
    3⤵
    PID:10984

C:\Windows\SysWOW64\Lnoaaaad.exe
C:\Windows\system32\Lnoaaaad.exe
1⤵
PID:11148
- C:\Windows\SysWOW64\Lopmii32.exe
  C:\Windows\system32\Lopmii32.exe
  2⤵
  PID:11252

C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
1⤵
PID:10268
- C:\Windows\SysWOW64\Lfjfecno.exe
  C:\Windows\system32\Lfjfecno.exe
  2⤵
  PID:10520
- - C:\Windows\SysWOW64\Lnangaoa.exe
    C:\Windows\system32\Lnangaoa.exe
    3⤵
    PID:10564
  - - C:\Windows\SysWOW64\Lqojclne.exe
      C:\Windows\system32\Lqojclne.exe
      4⤵
      PID:10736
    - - C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        5⤵
        
        PID:10896
      - C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        6⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        7⤵
        
        PID:11208

C:\Windows\SysWOW64\Mmhgmmbf.exe
C:\Windows\system32\Mmhgmmbf.exe
1⤵
PID:10468
- C:\Windows\SysWOW64\Mogcihaj.exe
  C:\Windows\system32\Mogcihaj.exe
  2⤵
  PID:10604
- - C:\Windows\SysWOW64\Mgnlkfal.exe
    C:\Windows\system32\Mgnlkfal.exe
    3⤵
    PID:10920
  - - C:\Windows\SysWOW64\Mjlhgaqp.exe
      C:\Windows\system32\Mjlhgaqp.exe
      4⤵
      PID:11072

C:\Windows\SysWOW64\Mmkdcm32.exe
C:\Windows\system32\Mmkdcm32.exe
1⤵
PID:10356
- C:\Windows\SysWOW64\Mcelpggq.exe
  C:\Windows\system32\Mcelpggq.exe
  2⤵
  PID:10664

C:\Windows\SysWOW64\Mfchlbfd.exe
C:\Windows\system32\Mfchlbfd.exe
1⤵
PID:11080
- C:\Windows\SysWOW64\Mqimikfj.exe
  C:\Windows\system32\Mqimikfj.exe
  2⤵
  PID:10732

C:\Windows\SysWOW64\Mgbefe32.exe
C:\Windows\system32\Mgbefe32.exe
1⤵
PID:11028
- C:\Windows\SysWOW64\Mjaabq32.exe
  C:\Windows\system32\Mjaabq32.exe
  2⤵
  PID:11272
- - C:\Windows\SysWOW64\Mmpmnl32.exe
    C:\Windows\system32\Mmpmnl32.exe
    3⤵
    PID:11312

C:\Windows\SysWOW64\Mcifkf32.exe
C:\Windows\system32\Mcifkf32.exe
1⤵
PID:11356
- C:\Windows\SysWOW64\Mfhbga32.exe
  C:\Windows\system32\Mfhbga32.exe
  2⤵
  PID:11388
- - C:\Windows\SysWOW64\Nmbjcljl.exe
    C:\Windows\system32\Nmbjcljl.exe
    3⤵
    PID:11436
  - - C:\Windows\SysWOW64\Nopfpgip.exe
      C:\Windows\system32\Nopfpgip.exe
      4⤵
      PID:11500

C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
1⤵
PID:11540
- C:\Windows\SysWOW64\Npbceggm.exe
  C:\Windows\system32\Npbceggm.exe
  2⤵
  PID:11588
- - C:\Windows\SysWOW64\Njhgbp32.exe
    C:\Windows\system32\Njhgbp32.exe
    3⤵
    PID:11624

C:\Windows\SysWOW64\Nmfcok32.exe
C:\Windows\system32\Nmfcok32.exe
1⤵
PID:11668
- C:\Windows\SysWOW64\Npepkf32.exe
  C:\Windows\system32\Npepkf32.exe
  2⤵
  PID:11716
- - C:\Windows\SysWOW64\Njjdho32.exe
    C:\Windows\system32\Njjdho32.exe
    3⤵
    PID:11764
  - - C:\Windows\SysWOW64\Nmipdk32.exe
      C:\Windows\system32\Nmipdk32.exe
      4⤵
      PID:11808
    - - C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        5⤵
        
        PID:11860
      - C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        6⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        7⤵
        
        PID:11944

C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
1⤵
PID:11992
- C:\Windows\SysWOW64\Onkidm32.exe
  C:\Windows\system32\Onkidm32.exe
  2⤵
  PID:12032
- - C:\Windows\SysWOW64\Oplfkeob.exe
    C:\Windows\system32\Oplfkeob.exe
    3⤵
    PID:12072
  - - C:\Windows\SysWOW64\Offnhpfo.exe
      C:\Windows\system32\Offnhpfo.exe
      4⤵
      PID:12112

C:\Windows\SysWOW64\Onmfimga.exe
C:\Windows\system32\Onmfimga.exe
1⤵
PID:12152
- C:\Windows\SysWOW64\Oakbehfe.exe
  C:\Windows\system32\Oakbehfe.exe
  2⤵
  PID:12192

C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
1⤵
PID:12232
- C:\Windows\SysWOW64\Ofhknodl.exe
  C:\Windows\system32\Ofhknodl.exe
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\Oanokhdb.exe
    C:\Windows\system32\Oanokhdb.exe
    3⤵
    PID:11320
  - - C:\Windows\SysWOW64\Oghghb32.exe
      C:\Windows\system32\Oghghb32.exe
      4⤵
      PID:11384
    - - C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        5⤵
        
        PID:11476
      - C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        6⤵
        
        PID:11536

C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
1⤵
PID:11616
- C:\Windows\SysWOW64\Ojhpimhp.exe
  C:\Windows\system32\Ojhpimhp.exe
  2⤵
  PID:11676
- - C:\Windows\SysWOW64\Opeiadfg.exe
    C:\Windows\system32\Opeiadfg.exe
    3⤵
    PID:11744
  - - C:\Windows\SysWOW64\Paeelgnj.exe
      C:\Windows\system32\Paeelgnj.exe
      4⤵
      PID:11828
    - - C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        5⤵
        
        PID:11892

C:\Windows\SysWOW64\Pmlfqh32.exe
C:\Windows\system32\Pmlfqh32.exe
1⤵
PID:11956
- C:\Windows\SysWOW64\Pdenmbkk.exe
  C:\Windows\system32\Pdenmbkk.exe
  2⤵
  PID:12040
- - C:\Windows\SysWOW64\Pfdjinjo.exe
    C:\Windows\system32\Pfdjinjo.exe
    3⤵
    PID:12100

C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
1⤵
PID:12136
- C:\Windows\SysWOW64\Pplobcpp.exe
  C:\Windows\system32\Pplobcpp.exe
  2⤵
  PID:12240
- - C:\Windows\SysWOW64\Pnmopk32.exe
    C:\Windows\system32\Pnmopk32.exe
    3⤵
    PID:12272
  - - C:\Windows\SysWOW64\Palklf32.exe
      C:\Windows\system32\Palklf32.exe
      4⤵
      PID:11364

C:\Windows\SysWOW64\Pdjgha32.exe
C:\Windows\system32\Pdjgha32.exe
1⤵
PID:11520
- C:\Windows\SysWOW64\Pfiddm32.exe
  C:\Windows\system32\Pfiddm32.exe
  2⤵
  PID:11644
- - C:\Windows\SysWOW64\Pmblagmf.exe
    C:\Windows\system32\Pmblagmf.exe
    3⤵
    PID:11788

C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
1⤵
PID:11888
- C:\Windows\SysWOW64\Qhhpop32.exe
  C:\Windows\system32\Qhhpop32.exe
  2⤵
  PID:12020
- - C:\Windows\SysWOW64\Qodeajbg.exe
    C:\Windows\system32\Qodeajbg.exe
    3⤵
    PID:12148
  - - C:\Windows\SysWOW64\Qpeahb32.exe
      C:\Windows\system32\Qpeahb32.exe
      4⤵
      PID:12256

C:\Windows\SysWOW64\Afpjel32.exe
C:\Windows\system32\Afpjel32.exe
1⤵
PID:11396
- C:\Windows\SysWOW64\Aogbfi32.exe
  C:\Windows\system32\Aogbfi32.exe
  2⤵
  PID:11580
- - C:\Windows\SysWOW64\Aaenbd32.exe
    C:\Windows\system32\Aaenbd32.exe
    3⤵
    PID:11896
  - - C:\Windows\SysWOW64\Ahofoogd.exe
      C:\Windows\system32\Ahofoogd.exe
      4⤵
      PID:11372

C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
1⤵
PID:12268
- C:\Windows\SysWOW64\Amlogfel.exe
  C:\Windows\system32\Amlogfel.exe
  2⤵
  PID:11548
- - C:\Windows\SysWOW64\Aagkhd32.exe
    C:\Windows\system32\Aagkhd32.exe
    3⤵
    PID:11884

C:\Windows\SysWOW64\Adfgdpmi.exe
C:\Windows\system32\Adfgdpmi.exe
1⤵
PID:12200
- C:\Windows\SysWOW64\Ahaceo32.exe
  C:\Windows\system32\Ahaceo32.exe
  2⤵
  PID:11724

C:\Windows\SysWOW64\Aokkahlo.exe
C:\Windows\system32\Aokkahlo.exe
1⤵
PID:11304
- C:\Windows\SysWOW64\Amnlme32.exe
  C:\Windows\system32\Amnlme32.exe
  2⤵
  PID:12120

C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
1⤵
PID:12080
- C:\Windows\SysWOW64\Adhdjpjf.exe
  C:\Windows\system32\Adhdjpjf.exe
  2⤵
  PID:12332

C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
1⤵
PID:12372
- C:\Windows\SysWOW64\Akblfj32.exe
  C:\Windows\system32\Akblfj32.exe
  2⤵
  PID:12408

C:\Windows\SysWOW64\Amqhbe32.exe
C:\Windows\system32\Amqhbe32.exe
1⤵
PID:12444
- C:\Windows\SysWOW64\Aaldccip.exe
  C:\Windows\system32\Aaldccip.exe
  2⤵
  PID:12480

C:\Windows\SysWOW64\Adkqoohc.exe
C:\Windows\system32\Adkqoohc.exe
1⤵
PID:12516
- C:\Windows\SysWOW64\Agimkk32.exe
  C:\Windows\system32\Agimkk32.exe
  2⤵
  PID:12552
- - C:\Windows\SysWOW64\Akdilipp.exe
    C:\Windows\system32\Akdilipp.exe
    3⤵
    PID:12588
  - - C:\Windows\SysWOW64\Amcehdod.exe
      C:\Windows\system32\Amcehdod.exe
      4⤵
      PID:12624

C:\Windows\SysWOW64\Apaadpng.exe
C:\Windows\system32\Apaadpng.exe
1⤵
PID:12660
- C:\Windows\SysWOW64\Bdmmeo32.exe
  C:\Windows\system32\Bdmmeo32.exe
  2⤵
  PID:12696
- - C:\Windows\SysWOW64\Bkgeainn.exe
    C:\Windows\system32\Bkgeainn.exe
    3⤵
    PID:12732

C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
1⤵
PID:12768
- C:\Windows\SysWOW64\Baannc32.exe
  C:\Windows\system32\Baannc32.exe
  2⤵
  PID:12804

C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
1⤵
PID:12840
- C:\Windows\SysWOW64\Bgnffj32.exe
  C:\Windows\system32\Bgnffj32.exe
  2⤵
  PID:12876
- - C:\Windows\SysWOW64\Boenhgdd.exe
    C:\Windows\system32\Boenhgdd.exe
    3⤵
    PID:12912

C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
1⤵
PID:12948
- C:\Windows\SysWOW64\Bpfkpp32.exe
  C:\Windows\system32\Bpfkpp32.exe
  2⤵
  PID:12984

C:\Windows\SysWOW64\Bhmbqm32.exe
C:\Windows\system32\Bhmbqm32.exe
1⤵
PID:13024
- C:\Windows\SysWOW64\Bklomh32.exe
  C:\Windows\system32\Bklomh32.exe
  2⤵
  PID:13060
- - C:\Windows\SysWOW64\Bmjkic32.exe
    C:\Windows\system32\Bmjkic32.exe
    3⤵
    PID:13096

C:\Windows\SysWOW64\Bddcenpi.exe
C:\Windows\system32\Bddcenpi.exe
1⤵
PID:13132
- C:\Windows\SysWOW64\Bgbpaipl.exe
  C:\Windows\system32\Bgbpaipl.exe
  2⤵
  PID:13172
- - C:\Windows\SysWOW64\Boihcf32.exe
    C:\Windows\system32\Boihcf32.exe
    3⤵
    PID:13208

C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
1⤵
PID:13244
- C:\Windows\SysWOW64\Bpkdjofm.exe
  C:\Windows\system32\Bpkdjofm.exe
  2⤵
  PID:13280
- - C:\Windows\SysWOW64\Bhblllfo.exe
    C:\Windows\system32\Bhblllfo.exe
    3⤵
    PID:11972

C:\Windows\SysWOW64\Bkphhgfc.exe
C:\Windows\system32\Bkphhgfc.exe
1⤵
PID:12312
- C:\Windows\SysWOW64\Boldhf32.exe
  C:\Windows\system32\Boldhf32.exe
  2⤵
  PID:12404

C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
1⤵
PID:12468
- C:\Windows\SysWOW64\Chdialdl.exe
  C:\Windows\system32\Chdialdl.exe
  2⤵
  PID:12428

C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
1⤵
PID:12656
- C:\Windows\SysWOW64\Cnaaib32.exe
  C:\Windows\system32\Cnaaib32.exe
  2⤵
  PID:12740

C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
1⤵
PID:12812
- C:\Windows\SysWOW64\Chfegk32.exe
  C:\Windows\system32\Chfegk32.exe
  2⤵
  PID:12872
- - C:\Windows\SysWOW64\Coqncejg.exe
    C:\Windows\system32\Coqncejg.exe
    3⤵
    PID:12944
  - - C:\Windows\SysWOW64\Caojpaij.exe
      C:\Windows\system32\Caojpaij.exe
      4⤵
      PID:13048

C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
1⤵
PID:13124
- C:\Windows\SysWOW64\Chiblk32.exe
  C:\Windows\system32\Chiblk32.exe
  2⤵
  PID:13196

C:\Windows\SysWOW64\Cocjiehd.exe
C:\Windows\system32\Cocjiehd.exe
1⤵
PID:13240
- C:\Windows\SysWOW64\Caageq32.exe
  C:\Windows\system32\Caageq32.exe
  2⤵
  PID:13308
- - C:\Windows\SysWOW64\Cdpcal32.exe
    C:\Windows\system32\Cdpcal32.exe
    3⤵
    PID:12364
  - - C:\Windows\SysWOW64\Ckjknfnh.exe
      C:\Windows\system32\Ckjknfnh.exe
      4⤵
      PID:12560

C:\Windows\SysWOW64\Cnhgjaml.exe
C:\Windows\system32\Cnhgjaml.exe
1⤵
PID:12716
- C:\Windows\SysWOW64\Cpfcfmlp.exe
  C:\Windows\system32\Cpfcfmlp.exe
  2⤵
  PID:12796

C:\Windows\SysWOW64\Cdbpgl32.exe
C:\Windows\system32\Cdbpgl32.exe
1⤵
PID:12980
- C:\Windows\SysWOW64\Cgqlcg32.exe
  C:\Windows\system32\Cgqlcg32.exe
  2⤵
  PID:13120
- - C:\Windows\SysWOW64\Cogddd32.exe
    C:\Windows\system32\Cogddd32.exe
    3⤵
    PID:13272

C:\Windows\SysWOW64\Dpiplm32.exe
C:\Windows\system32\Dpiplm32.exe
1⤵
PID:12360
- C:\Windows\SysWOW64\Dddllkbf.exe
  C:\Windows\system32\Dddllkbf.exe
  2⤵
  PID:12836
- - C:\Windows\SysWOW64\Dhbebj32.exe
    C:\Windows\system32\Dhbebj32.exe
    3⤵
    PID:13008
  - - C:\Windows\SysWOW64\Dkqaoe32.exe
      C:\Windows\system32\Dkqaoe32.exe
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6388 -s 400
        5⤵
        Program crash
        
        PID:13080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6388 -ip 6388
1⤵
PID:12596

C:\Windows\SysWOW64\Jgmjmjnb.exe
C:\Windows\system32\Jgmjmjnb.exe
1⤵
PID:10832

C:\Windows\SysWOW64\Ibhkfm32.exe
C:\Windows\system32\Ibhkfm32.exe
1⤵
PID:5700

C:\Windows\SysWOW64\Eiokinbk.exe
C:\Windows\system32\Eiokinbk.exe
1⤵
PID:1028

C:\Windows\SysWOW64\Dijbno32.exe
C:\Windows\system32\Dijbno32.exe
1⤵
PID:5696

C:\Windows\SysWOW64\Ddnfmqng.exe
C:\Windows\system32\Ddnfmqng.exe
1⤵
PID:5436

C:\Windows\SysWOW64\Ddjmba32.exe
C:\Windows\system32\Ddjmba32.exe
1⤵
PID:5312

C:\Windows\SysWOW64\Dmohno32.exe
C:\Windows\system32\Dmohno32.exe
1⤵
PID:5380

C:\Windows\SysWOW64\Adndoe32.exe
C:\Windows\system32\Adndoe32.exe
1⤵
PID:10008

C:\Windows\SysWOW64\Aehgnied.exe
C:\Windows\system32\Aehgnied.exe
1⤵
PID:956

C:\Windows\SysWOW64\Anobgl32.exe
C:\Windows\system32\Anobgl32.exe
1⤵
PID:1372

C:\Windows\SysWOW64\Amjillkj.exe
C:\Windows\system32\Amjillkj.exe
1⤵
PID:5164

C:\Windows\SysWOW64\Pehngkcg.exe
C:\Windows\system32\Pehngkcg.exe
1⤵
PID:2120

C:\Windows\SysWOW64\Pdhbmh32.exe
C:\Windows\system32\Pdhbmh32.exe
1⤵
PID:10016

C:\Windows\SysWOW64\Mkmkkjko.exe
C:\Windows\system32\Mkmkkjko.exe
1⤵
PID:10084

C:\Windows\SysWOW64\Lcnmin32.exe
C:\Windows\system32\Lcnmin32.exe
1⤵
PID:9784

C:\Windows\SysWOW64\Kqbdldnq.exe
C:\Windows\system32\Kqbdldnq.exe
1⤵
PID:9992

C:\Windows\SysWOW64\Kdkdgchl.exe
C:\Windows\system32\Kdkdgchl.exe
1⤵
PID:9920

C:\Windows\SysWOW64\Kkconn32.exe
C:\Windows\system32\Kkconn32.exe
1⤵
PID:9832

C:\Windows\SysWOW64\Kclgmq32.exe
C:\Windows\system32\Kclgmq32.exe
1⤵
PID:2888

C:\Windows\SysWOW64\Kmaopfjm.exe
C:\Windows\system32\Kmaopfjm.exe
1⤵
PID:9744

C:\Windows\SysWOW64\Kkpbin32.exe
C:\Windows\system32\Kkpbin32.exe
1⤵
PID:9660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfefkkqp.exe

Filesize
56KB

MD5
8eb87090b6427585a213cf0c28a0b783

SHA1
b2e47f87f9b15daf25925bcf054b7bed6c04f7d7

SHA256
dc8cea7f610e59c1f07a56805ca93aede5db6f7bedb95bd5b612d6efb9b1acb4

SHA512
cbd0b3883aca889d11a8cf3fa3178825af5c23bf6e8736cf07971766f3f30be6109c67089ff436879f5d830ec7947d93ebf404310ec8e912a81561dbfd875cb8

Download Submit
C:\Windows\SysWOW64\Dpnkdq32.exe

Filesize
56KB

MD5
0dc3ec7075c97ae4dbe5eb1cb545f50b

SHA1
06b903284d2d6003d10fc73308118fcfd722cfd0

SHA256
4a0550657125eee5d32034d1a23cbb6b9675eb7910a4377cae5bff8dd9547ad6

SHA512
f4e9ed4731fb42fc1002358ad11269da0f0cf4adb2c78657656be38cbb27caa320ea79d53858095fcccda46e4056973c8bf0a76318d11ab9fa7d158f62fd5e71

Download Submit
C:\Windows\SysWOW64\Hdjbiheb.exe

Filesize
56KB

MD5
cdffe5531a6c33f4050ff50c6cab47aa

SHA1
ab8fdebfbc0ebd9463450845a04266fa7a3ab0b8

SHA256
84a8629119839cb6fe5b8605aa12b48a2bf9383f01f108eb3967c2b3c4f99dc2

SHA512
2a88c30d0fad2cb377c81ed13ee0b87a6995abdc0cb9a6523d4486dd54710bdcd8546d8c50284319e09bf966cdd458b29147f5ecce0b6fcc2f9a20ddd27e9292

Download Submit
C:\Windows\SysWOW64\Hdokdg32.exe

Filesize
56KB

MD5
ad933f107f774c7bd1cc0fbf9a04f265

SHA1
a37a5091bf3fcc9b5f5fde9d21b0e506378294e8

SHA256
3dea0be48e25a8ac88cc6dc7b2693130f3d31b318dc5f5a5d7ad515311109275

SHA512
51ca0ba7c457a9a7dd4b9ac3af7c3fceb8b41cb5078411d9a795a4edc0d1aae561182f06dab5d19d74132514a274920e5cd8d321e20e331bb4b9f3af076a7b45

Download Submit
C:\Windows\SysWOW64\Hplicjok.exe

Filesize
56KB

MD5
c4aea5b07d87b4d9a160e2d9958f909c

SHA1
1fd3d72604e77628ab074bc6b2dd82949c5b838f

SHA256
b6f3facacdb68b256c16c9363c8e38b40adbb88171befd09533675aa25f58ac3

SHA512
715a4cdae57e57e5fc2bc72afd505e9c20dc8e34161d7645af2bac1c2b43e54a750228d57d0a595daae813df2268ad63dd893b4eecfdb66ae0589b396f34df5d

Download Submit
C:\Windows\SysWOW64\Icdheded.exe

Filesize
56KB

MD5
ed7350537e6f52c1a10863bc65bf8140

SHA1
ec39ff14ba536e521bb2a0f469f1e79b4f560461

SHA256
717da8eceb3206118b322bee321b2ec0ec91cbbb6feeb28522145e602ecfe5dd

SHA512
dea1d79309db37d4e0512623b7d05d8695218c83ee4566cc241ec3bb882656c51e2dc20659b01aae210ab9dc521c1d11fe8b32ffc1c87ee1c4a444993672a02e

Download Submit
C:\Windows\SysWOW64\Icfekc32.exe

Filesize
56KB

MD5
f3033769c7f92534698ef37e197627c0

SHA1
d53e8c8b12b33900e8bd1c4f5f38c96e15d447f6

SHA256
e55a95741d49e0f7029a99bd34d69de4a9860b13d641f6fff26373f91d47bacd

SHA512
84087f47bd21d7fb772a7f43a9e4e5c5d43db5bc4b38f743f69a242cf54bdfec97e34ce0160b97667ca8659f23333ede075674d14775b776f2f32c9360e1678d

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
56KB

MD5
74c2f4e5804c08717b8db92e57fb1d1d

SHA1
bc77a5ffba1b8bb813a69953910ba6c12e518b27

SHA256
83ac0ccf1e90bdf3d6727eab434811a80098526599a1e8e9f55a7d0b78afb121

SHA512
567797a00bf1fd2cbf2f669b43db0d68893e0a736ecee0ddc21639d75b7191beb68366f99803aa2b4dc850137a8cb0233260554ff0fff56c41c8dbfe68a3e9f9

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
56KB

MD5
157629dc1265c6a2f2e965568b01d799

SHA1
6e5a817b11b6185f2c157b5792d226c05589b875

SHA256
c4485af8d3115e3d0accbb35a020a00a2d6bc5ecef776a29384495d2b1d1b418

SHA512
d8b05020920f96aba77a09f8c06c32b87f3ac25cd1e9bbd804f7fec89e54e95d89fafbbe506bd1dcbaabc61c02deae0478fc547d743087f4baeb80a652df8a70

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
56KB

MD5
59ab0fa0d3fa42f21de47240e4649a8e

SHA1
1afdcf1bb55054cc48d3046a249bebe6d2feefac

SHA256
26652c3fd0d8c69a167142ce71b861976d02a8796e2a0c834f7d1e94a4066b85

SHA512
69775f66c2b6665d95d70e32b7fd70dd0272900640018c4e5428235662a0d80170c248e86b84054916dd1650e0fec857269f3ec89af7c2ed3c1eaeb8b1611890

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
56KB

MD5
b8169e925d17d3d5b56750dd4a174dc6

SHA1
fd63be003bd8d04eef8766fc76f80bab33f05aca

SHA256
2a869bc9abdeea1b1c3b81831c0eb7d194cf7a93bf024eaac58a8402c8707894

SHA512
81ba58b0587f7fe52ec902c3e70e4bcde82ab2f265aea0514babfdc899e11c3ec09f0bbacea17d6800b7f60e6bba0665c525e6acb2081c174bf70805c24841bf

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
56KB

MD5
23dfa8a6250020028caddd25bcba4d77

SHA1
d5fd1191352d8b2b11370daa2ebcd24fb3c78ad4

SHA256
0a50488147bdcce14b2932fd130466827e78f28e801e2cadc9103db7c1c0a785

SHA512
817f50062c437d71f8320a81696c69903477e9828bf170c11a8c0dbc23392bfe87eb7b96faa5dd681456360cec669be9597aeef99758729671b0039f05b92882

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
56KB

MD5
7c3548bee10a5fb746c0dd7831993740

SHA1
45dffee2142fef0170d02ab57a5bc5382d9622d6

SHA256
b7dcca2918e8eaad49a7d5967849a340c1550faeb7412b4d28e2e1272ab569c1

SHA512
2df989d6efb0bc0af619d8575ae4b8d4d591aa8c944f9cf519fd35f57443fe1159ba2ff777b4ab87090e58122c4d7ca430df19ddfc59701000908bec27413612

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
56KB

MD5
4e3cd2e8979545d2ed4f44d213568b43

SHA1
cb26f61fa87f9c8c8fd77a33f90a7ed2aaf9a2f8

SHA256
22a09b1c29814ff65c16fec7668731485846f5a7920951ed71b6bcffebcb2de0

SHA512
5cb7457009c2ab0423ccfe82bd28b10f0a9dcdf7330e70ece641a11358147f86e8e6c3e439c813e151872355f994a07cb6d15b410be724a65293029c13840ec9

Download Submit
memory/208-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads