aa05e02c732bfeb903dc146880fa7eadedb40b8c52b5edfb6deb9e39dd45b1c0

Analysis

max time kernel
0s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

110dbcc0286f1da413855fe17a0ebc25.exe
Size

5.1MB
MD5

110dbcc0286f1da413855fe17a0ebc25
SHA1

aebd1c3bbf1b62cf20da909547de14049bc53f9f
SHA256

aa05e02c732bfeb903dc146880fa7eadedb40b8c52b5edfb6deb9e39dd45b1c0
SHA512

116d1204f524d774e1d0ebc8ad6a0444b3b84d9419305d6f5eb26f6e99f3784006400c8c5d947be9cc5ff946f3397da35c08f8a380d320085b1ba7e63181ded6
SSDEEP

98304:DjkjfUkjkjfpfjkjfUkjkjfqkjkjfUkjkjfpfjkjfUkjkjfKjkjfUkjkjfpfjkjv:C6U6K6U6F6U6K6U60

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	110dbcc0286f1da413855fe17a0ebc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	110dbcc0286f1da413855fe17a0ebc25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 8 IoCs

pid	Process
2212	Nkjjij32.exe
4236	Nqfbaq32.exe
3132	Njogjfoj.exe
432	Nqiogp32.exe
4324	Nkncdifl.exe
1900	Ndghmo32.exe
3204	Njcpee32.exe
3580	Ndidbn32.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	110dbcc0286f1da413855fe17a0ebc25.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Njfmke32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	110dbcc0286f1da413855fe17a0ebc25.exe
File created	C:\Windows\SysWOW64\Jheiojpj.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njfmke32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	110dbcc0286f1da413855fe17a0ebc25.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8908	8764	WerFault.exe	241

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	110dbcc0286f1da413855fe17a0ebc25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	110dbcc0286f1da413855fe17a0ebc25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	110dbcc0286f1da413855fe17a0ebc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	110dbcc0286f1da413855fe17a0ebc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	110dbcc0286f1da413855fe17a0ebc25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheiojpj.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	110dbcc0286f1da413855fe17a0ebc25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2212	1580	110dbcc0286f1da413855fe17a0ebc25.exe	263
PID 1580 wrote to memory of 2212	1580	110dbcc0286f1da413855fe17a0ebc25.exe	263
PID 1580 wrote to memory of 2212	1580	110dbcc0286f1da413855fe17a0ebc25.exe	263
PID 2212 wrote to memory of 4236	2212	Nkjjij32.exe	14
PID 2212 wrote to memory of 4236	2212	Nkjjij32.exe	14
PID 2212 wrote to memory of 4236	2212	Nkjjij32.exe	14
PID 4236 wrote to memory of 3132	4236	Nqfbaq32.exe	262
PID 4236 wrote to memory of 3132	4236	Nqfbaq32.exe	262
PID 4236 wrote to memory of 3132	4236	Nqfbaq32.exe	262
PID 3132 wrote to memory of 432	3132	Njogjfoj.exe	261
PID 3132 wrote to memory of 432	3132	Njogjfoj.exe	261
PID 3132 wrote to memory of 432	3132	Njogjfoj.exe	261
PID 432 wrote to memory of 4324	432	Nqiogp32.exe	16
PID 432 wrote to memory of 4324	432	Nqiogp32.exe	16
PID 432 wrote to memory of 4324	432	Nqiogp32.exe	16
PID 4324 wrote to memory of 1900	4324	Nkncdifl.exe	259
PID 4324 wrote to memory of 1900	4324	Nkncdifl.exe	259
PID 4324 wrote to memory of 1900	4324	Nkncdifl.exe	259
PID 1900 wrote to memory of 3204	1900	Ndghmo32.exe	257
PID 1900 wrote to memory of 3204	1900	Ndghmo32.exe	257
PID 1900 wrote to memory of 3204	1900	Ndghmo32.exe	257
PID 3204 wrote to memory of 3580	3204	Njcpee32.exe	256
PID 3204 wrote to memory of 3580	3204	Njcpee32.exe	256
PID 3204 wrote to memory of 3580	3204	Njcpee32.exe	256

C:\Users\Admin\AppData\Local\Temp\110dbcc0286f1da413855fe17a0ebc25.exe
"C:\Users\Admin\AppData\Local\Temp\110dbcc0286f1da413855fe17a0ebc25.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\Nkjjij32.exe
  C:\Windows\system32\Nkjjij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3132

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\Ndghmo32.exe
  C:\Windows\system32\Ndghmo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1900

C:\Windows\SysWOW64\Njfmke32.exe
C:\Windows\system32\Njfmke32.exe
1⤵
PID:2688
- C:\Windows\SysWOW64\Ndkahnhh.exe
  C:\Windows\system32\Ndkahnhh.exe
  2⤵
  PID:784
- - C:\Windows\SysWOW64\Okeieh32.exe
    C:\Windows\system32\Okeieh32.exe
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\Oqbamo32.exe
      C:\Windows\system32\Oqbamo32.exe
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\Obangb32.exe
        
        C:\Windows\system32\Obangb32.exe
        5⤵
        
        PID:4516
      - C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        6⤵
        
        PID:396

C:\Windows\SysWOW64\Obdkma32.exe
C:\Windows\system32\Obdkma32.exe
1⤵
PID:2220
- C:\Windows\SysWOW64\Ogaceh32.exe
  C:\Windows\system32\Ogaceh32.exe
  2⤵
  PID:644
- - C:\Windows\SysWOW64\Obfhba32.exe
    C:\Windows\system32\Obfhba32.exe
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\Okolkg32.exe
      C:\Windows\system32\Okolkg32.exe
      4⤵
      PID:3752

C:\Windows\SysWOW64\Oqkdcn32.exe
C:\Windows\system32\Oqkdcn32.exe
1⤵
PID:2604
- C:\Windows\SysWOW64\Pjdilcla.exe
  C:\Windows\system32\Pjdilcla.exe
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\Pclneicb.exe
    C:\Windows\system32\Pclneicb.exe
    3⤵
    PID:5052

C:\Windows\SysWOW64\Pcojkhap.exe
C:\Windows\system32\Pcojkhap.exe
1⤵
PID:4840
- C:\Windows\SysWOW64\Pndohaqe.exe
  C:\Windows\system32\Pndohaqe.exe
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\Pcagphom.exe
    C:\Windows\system32\Pcagphom.exe
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\Pjkombfj.exe
      C:\Windows\system32\Pjkombfj.exe
      4⤵
      PID:4012

C:\Windows\SysWOW64\Pcccfh32.exe
C:\Windows\system32\Pcccfh32.exe
1⤵
PID:2720
- C:\Windows\SysWOW64\Pnihcq32.exe
  C:\Windows\system32\Pnihcq32.exe
  2⤵
  PID:4352

C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
1⤵
PID:3096
- C:\Windows\SysWOW64\Qbgqio32.exe
  C:\Windows\system32\Qbgqio32.exe
  2⤵
  PID:4112

C:\Windows\SysWOW64\Qgciaf32.exe
C:\Windows\system32\Qgciaf32.exe
1⤵
PID:2096
- C:\Windows\SysWOW64\Acjjfggb.exe
  C:\Windows\system32\Acjjfggb.exe
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\Anpncp32.exe
    C:\Windows\system32\Anpncp32.exe
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\Acmflf32.exe
      C:\Windows\system32\Acmflf32.exe
      4⤵
      PID:3264
    - - C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        5⤵
        
        PID:3788

C:\Windows\SysWOW64\Acocaf32.exe
C:\Windows\system32\Acocaf32.exe
1⤵
PID:3528
- C:\Windows\SysWOW64\Andgoobc.exe
  C:\Windows\system32\Andgoobc.exe
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\Aeopki32.exe
    C:\Windows\system32\Aeopki32.exe
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\Ajkhdp32.exe
      C:\Windows\system32\Ajkhdp32.exe
      4⤵
      PID:2928

C:\Windows\SysWOW64\Aealah32.exe
C:\Windows\system32\Aealah32.exe
1⤵
PID:60
- C:\Windows\SysWOW64\Ajneip32.exe
  C:\Windows\system32\Ajneip32.exe
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\Bahmfj32.exe
    C:\Windows\system32\Bahmfj32.exe
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\Blmacb32.exe
      C:\Windows\system32\Blmacb32.exe
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        5⤵
        
        PID:2456
      - C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        6⤵
        
        PID:3948

C:\Windows\SysWOW64\Balfaiil.exe
C:\Windows\system32\Balfaiil.exe
1⤵
PID:3688
- C:\Windows\SysWOW64\Blbknaib.exe
  C:\Windows\system32\Blbknaib.exe
  2⤵
  PID:220
- - C:\Windows\SysWOW64\Baocghgi.exe
    C:\Windows\system32\Baocghgi.exe
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\Bldgdago.exe
      C:\Windows\system32\Bldgdago.exe
      4⤵
      PID:5156
    - - C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        5⤵
        
        PID:5204
      - C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        6⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        9⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        10⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        12⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        13⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        14⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        15⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        16⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        17⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        18⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        19⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        20⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        21⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        22⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        23⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        24⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        25⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        26⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        27⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        28⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        29⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        30⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        31⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        32⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        33⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        34⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        35⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        36⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        37⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        38⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        39⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        40⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        41⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        42⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        43⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        44⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        45⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        46⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        47⤵
        
        PID:5852

C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
1⤵
PID:6160
- C:\Windows\SysWOW64\Glhonj32.exe
  C:\Windows\system32\Glhonj32.exe
  2⤵
  PID:6232
- - C:\Windows\SysWOW64\Gbdgfa32.exe
    C:\Windows\system32\Gbdgfa32.exe
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\Gmjlcj32.exe
      C:\Windows\system32\Gmjlcj32.exe
      4⤵
      PID:6328
    - - C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        5⤵
        
        PID:6392
      - C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        6⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        7⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        8⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        9⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        10⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        11⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        12⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        13⤵
        
        PID:6756

C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
1⤵
PID:6796
- C:\Windows\SysWOW64\Hfnphn32.exe
  C:\Windows\system32\Hfnphn32.exe
  2⤵
  PID:6840
- - C:\Windows\SysWOW64\Hmhhehlb.exe
    C:\Windows\system32\Hmhhehlb.exe
    3⤵
    PID:6880
  - - C:\Windows\SysWOW64\Hbeqmoji.exe
      C:\Windows\system32\Hbeqmoji.exe
      4⤵
      PID:6924
    - - C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        5⤵
        
        PID:6972
      - C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        6⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        7⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        8⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        9⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        10⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        11⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        12⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        13⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        14⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        15⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        16⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        17⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        18⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        19⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        20⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        21⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        22⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        23⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        24⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        25⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        26⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        27⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        28⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        29⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        30⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        31⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        32⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        33⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        34⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        35⤵
        
        PID:7052

C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
1⤵
PID:6516
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\Lbjlfi32.exe
    C:\Windows\system32\Lbjlfi32.exe
    3⤵
    PID:6292
  - - C:\Windows\SysWOW64\Lmppcbjd.exe
      C:\Windows\system32\Lmppcbjd.exe
      4⤵
      PID:6824
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        
        PID:6792

C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
1⤵
PID:6588
- C:\Windows\SysWOW64\Ldleel32.exe
  C:\Windows\system32\Ldleel32.exe
  2⤵
  PID:7184
- - C:\Windows\SysWOW64\Liimncmf.exe
    C:\Windows\system32\Liimncmf.exe
    3⤵
    PID:7232
  - - C:\Windows\SysWOW64\Ldoaklml.exe
      C:\Windows\system32\Ldoaklml.exe
      4⤵
      PID:7272
    - - C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        5⤵
        
        PID:7312
      - C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        6⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        7⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        8⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        9⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        10⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        11⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        12⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        13⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        14⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        15⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        16⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        17⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        18⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        19⤵
        
        PID:7936

C:\Windows\SysWOW64\Nepgjaeg.exe
C:\Windows\system32\Nepgjaeg.exe
1⤵
PID:7984
- C:\Windows\SysWOW64\Ndaggimg.exe
  C:\Windows\system32\Ndaggimg.exe
  2⤵
  PID:8040
- - C:\Windows\SysWOW64\Njnpppkn.exe
    C:\Windows\system32\Njnpppkn.exe
    3⤵
    PID:8080

C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
1⤵
PID:8132
- C:\Windows\SysWOW64\Neeqea32.exe
  C:\Windows\system32\Neeqea32.exe
  2⤵
  PID:8176
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    PID:7228
  - - C:\Windows\SysWOW64\Njefqo32.exe
      C:\Windows\system32\Njefqo32.exe
      4⤵
      PID:7292
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        
        PID:7384
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        
        PID:7456

C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
1⤵
PID:7524
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  PID:7588
- - C:\Windows\SysWOW64\Olhlhjpd.exe
    C:\Windows\system32\Olhlhjpd.exe
    3⤵
    PID:7652
  - - C:\Windows\SysWOW64\Ognpebpj.exe
      C:\Windows\system32\Ognpebpj.exe
      4⤵
      PID:7744
    - - C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        5⤵
        
        PID:7820
      - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        6⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        7⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        8⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        9⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        10⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        11⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        12⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        13⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        14⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        15⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        16⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        17⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        18⤵
        
        PID:8028

C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
1⤵
PID:8164
- C:\Windows\SysWOW64\Qdbiedpa.exe
  C:\Windows\system32\Qdbiedpa.exe
  2⤵
  PID:7432
- - C:\Windows\SysWOW64\Qjoankoi.exe
    C:\Windows\system32\Qjoankoi.exe
    3⤵
    PID:7440
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      PID:7660
    - - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        5⤵
        
        PID:7832
      - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        6⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        7⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        8⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        9⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        10⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        11⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        12⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        13⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        14⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        15⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        16⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        17⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        18⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        19⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        20⤵
        
        PID:8484

C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
1⤵
PID:8532
- C:\Windows\SysWOW64\Bclhhnca.exe
  C:\Windows\system32\Bclhhnca.exe
  2⤵
  PID:8576
- - C:\Windows\SysWOW64\Bnbmefbg.exe
    C:\Windows\system32\Bnbmefbg.exe
    3⤵
    PID:8616
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      PID:8656
    - - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        5⤵
        
        PID:8696
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        7⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        10⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        12⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        13⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        14⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        15⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        16⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        17⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        18⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        19⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        20⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        21⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        22⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        23⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        24⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        25⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8764 -s 396
        26⤵
        Program crash
        
        PID:8908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8764 -ip 8764
1⤵
PID:8872

C:\Windows\SysWOW64\Pnbbbabh.exe
C:\Windows\system32\Pnbbbabh.exe
1⤵
PID:3260

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
5.1MB

MD5
c22eab4017c120492f21819196452e61

SHA1
66592396c61a8f3465c061ee2fc490763b952f02

SHA256
949faf4e8f73e56ad22a30e1748c18107bf90398659153cfa313430b9b2dae09

SHA512
799e429621a3e393eeeefe1158069e57c6f556e2f0c1e1788cc85da61ee080540ec90f703e420d9f9fee01e68007c24dbf63292674105cb74004e7b1e7e3026d

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
5.1MB

MD5
bbf0fe6a5527bdf42599b6d6695b2d3c

SHA1
5b9fe7af59ccba0eb2cca06f7b12f84a69328e76

SHA256
d563809531a14332f0e2dcd4ada312a52302c422727755f32d4f91eebe03c740

SHA512
a9a0654b7f605e2e0431bad5d589337aca88dce3ca8ae43684cb29fe3a78076acdf553ed93afe7fa637622de26e3cbd9aa9b685dc1bcd61f7f27c28275149db3

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
5.1MB

MD5
9257c0d11743615dd4a3a794dae5d711

SHA1
e22367c7ac83d42bbf1edf5f3d3d6883c85ec95f

SHA256
69b9e403617f9e6ffc11fc2104cb4262a976c6788755a885bc57cd7db0944499

SHA512
e31cb9dd12f7968d7c4977665c465da0b2e794bc4857a10e26a0880fc5ae2c9e58d040bbedf6d85d5490d94448d6c67b8c67738b8bcbd639fba3b0be85cbd816

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
5.1MB

MD5
9ea6948ba3c5fca12087ab4307b75b25

SHA1
70f4702a6f76e1a1cef956cc1950624ba07913c6

SHA256
474e74147bcd27058325b46069d9a5467a28c13fd1c88c6b5c59969beeee5a23

SHA512
85e555d0e2951c86945e1bf771ba0f055b8a541775c3107dd6e79f6f700a44a379a4baf2276878009837d65e6ac72e225f550da6059888b386462771ca0fc0ef

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
5.1MB

MD5
3c5b5e2700b5d0a97e3ee246c6f49153

SHA1
7433730f08cc4f92078aa6082881e58fd4c6e378

SHA256
178978f6d90648face7b6cf42d5a14136f8a27df5ddfc706c455b77d7bbbec41

SHA512
55d58e3dff7e9f2e372b5582258056ef92b94625728802265ab38369e90b5a6cff666b2a85ea05230948c395f68d871223e011b545bc8f6aa5aa776efa3d903f

Download Submit
memory/60-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-1659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5272-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5512-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5552-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5592-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5632-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5672-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8268-1657-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8320-1656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8328-1633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8360-1655-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8404-1654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8532-1651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8540-1631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8576-1650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8616-1649-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8688-1629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8696-1647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8792-1645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8876-1643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8924-1642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8968-1641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9008-1640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9048-1639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9092-1638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9132-1637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9176-1636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads