f68924916d6d8055e4ce2bd4d1d0efb2df16e9c0d6b602e87b8c4963fda55477

Analysis

max time kernel
84s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8ecb6faf3a85f3371af813ca56c1c75.exe
Size

88KB
MD5

a8ecb6faf3a85f3371af813ca56c1c75
SHA1

a3888e7f5a67caccd42988a85fd88418431f47be
SHA256

f68924916d6d8055e4ce2bd4d1d0efb2df16e9c0d6b602e87b8c4963fda55477
SHA512

3657a5b1382c2d89dd4015b43bb9f6c337c50aa18a43a3b92f5bce67661676554ec7403ede205f282c795c47c797ab1a5a2aaa8c802f78d608e7415e33399216
SSDEEP

1536:sYD669rXftbUWnuUvgtPnrLqzrCsKRkMEf5KQPvHVDnouy8L:suLftXFOjLqasEkeQPfFoutL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnfafpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khhalafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdoofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deqqek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgjhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlomemlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhdocc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbgdelpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjjmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnkfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpmobi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfqikko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnclcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ammnclcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbijinfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdoofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goabhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fganqbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqnemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhpqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdnlmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aekleind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgnfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Decmjjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edeeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fganqbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe

Executes dropped EXE 64 IoCs

pid	Process
5116	Pjdpelnc.exe
4144	Ppahmb32.exe
3280	svchost.exe
2928	Qdoacabq.exe
4288	Amjbbfgo.exe
4264	Afbgkl32.exe
3424	Adhdjpjf.exe
3444	Akdilipp.exe
3340	Bkgeainn.exe
1460	Bdojjo32.exe
5020	Bkibgh32.exe
4568	Bpfkpp32.exe
1712	Bogkmgba.exe
4652	Bknlbhhe.exe
2916	Bpkdjofm.exe
4964	Bgelgi32.exe
2168	Dijppjfd.exe
3836	Cncnob32.exe
2812	Cpbjkn32.exe
3568	Cglbhhga.exe
2500	Cnfkdb32.exe
1968	Cdpcal32.exe
1272	Fhdocc32.exe
3176	Dafppp32.exe
4008	Dgcihgaj.exe
1800	Dpkmal32.exe
4116	Dgeenfog.exe
3040	Fkehdnee.exe
4212	Dkcndeen.exe
4352	Ddkbmj32.exe
1056	Eqdpgk32.exe
628	Ehlhih32.exe
920	Capkim32.exe
1176	Edeeci32.exe
4036	Ebnddn32.exe
3460	Edgbii32.exe
2232	Fifhbf32.exe
1516	Enpfan32.exe
2544	Edionhpn.exe
408	Ekcgkb32.exe
2104	Fbmohmoh.exe
4896	Figgdg32.exe
3140	Fbplml32.exe
3692	Fijdjfdb.exe
5036	Fbbicl32.exe
1708	Goabhl32.exe
4724	Fniihmpf.exe
2368	Fqgedh32.exe
2420	Finnef32.exe
4300	Fganqbgg.exe
4596	Fnkfmm32.exe
2080	Fbgbnkfm.exe
2632	Fgcjfbed.exe
4028	Omgjhc32.exe
5144	Gnpphljo.exe
5180	Icogcjde.exe
5224	Igjbci32.exe
5264	Indkpcdk.exe
5304	Iencmm32.exe
5344	Ilhkigcd.exe
5384	Bgdjicmn.exe
5428	Ieqpbm32.exe
5464	Ilkhog32.exe
5508	Inidkb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbblob32.dll	Goabhl32.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Paoinm32.dll	Fbbicl32.exe
File opened for modification	C:\Windows\SysWOW64\Igjbci32.exe	Icogcjde.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	svchost.exe
File created	C:\Windows\SysWOW64\Bdojjo32.exe	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Hdnlmj32.exe
File created	C:\Windows\SysWOW64\Ibgmaqfl.exe	Qlomemlj.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Mhiabbdi.exe	Jajdai32.exe
File created	C:\Windows\SysWOW64\Ekcgkb32.exe	Edionhpn.exe
File created	C:\Windows\SysWOW64\Mlbmonhi.dll	Fijdjfdb.exe
File created	C:\Windows\SysWOW64\Fnkfmm32.exe	Fganqbgg.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Bqnemp32.exe	Bhmbjb32.exe
File opened for modification	C:\Windows\SysWOW64\Fnkfmm32.exe	Fganqbgg.exe
File opened for modification	C:\Windows\SysWOW64\Dbijinfl.exe	Deejpjgc.exe
File created	C:\Windows\SysWOW64\Begfqa32.dll	Edionhpn.exe
File created	C:\Windows\SysWOW64\Hodlgn32.dll	Fgcjfbed.exe
File created	C:\Windows\SysWOW64\Calbnnkj.exe	Aekleind.exe
File opened for modification	C:\Windows\SysWOW64\Fniihmpf.exe	Goabhl32.exe
File created	C:\Windows\SysWOW64\Ebjjgd32.dll	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Mhnjna32.exe	Pdoofl32.exe
File created	C:\Windows\SysWOW64\Mohbjkgp.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Igjbci32.exe	Icogcjde.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Qlajkm32.exe
File created	C:\Windows\SysWOW64\Mjicah32.dll	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Eglfjicq.dll	Fganqbgg.exe
File opened for modification	C:\Windows\SysWOW64\Fgcjfbed.exe	Fbgbnkfm.exe
File created	C:\Windows\SysWOW64\Maaekg32.exe	Akgcdc32.exe
File created	C:\Windows\SysWOW64\Odemep32.dll	Mkocol32.exe
File created	C:\Windows\SysWOW64\Hceook32.dll	Djmima32.exe
File created	C:\Windows\SysWOW64\Ibbcfa32.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Adhdjpjf.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Enmjlojd.exe	Edeeci32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Qlajkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Capkim32.exe	Cjfclcpg.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Jjpdeo32.dll	Omgjhc32.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Bpmobi32.exe
File created	C:\Windows\SysWOW64\Ljiochji.dll	Capkim32.exe
File created	C:\Windows\SysWOW64\Ehlhih32.exe	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Galoohke.exe	Fgcjfbed.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Inidkb32.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Bpmobi32.exe
File opened for modification	C:\Windows\SysWOW64\Moefdljc.exe	BackgroundTransferHost.exe
File created	C:\Windows\SysWOW64\Decmjjie.exe	Bgnfpp32.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Enmjlojd.exe	Edeeci32.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jhfbog32.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Cinpdl32.exe	Bqnemp32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Pgphggpe.exe
File created	C:\Windows\SysWOW64\Momael32.dll	Dbijinfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6636	8064	WerFault.exe	730

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a8ecb6faf3a85f3371af813ca56c1c75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinpdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aekleind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll"	Fganqbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll"	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll"	Qlomemlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlajkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mojhphij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Jbgdelpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkngglh.dll"	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadpqeqg.dll"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgphggpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aekleind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaoj32.dll"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mojhphij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhdocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbgdelpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhmbjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jecoog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omecabkc.dll"	Hnfafpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Figgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alfcflfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momael32.dll"	Dbijinfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbijinfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cnfkdb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 5116	1828	a8ecb6faf3a85f3371af813ca56c1c75.exe	146
PID 1828 wrote to memory of 5116	1828	a8ecb6faf3a85f3371af813ca56c1c75.exe	146
PID 1828 wrote to memory of 5116	1828	a8ecb6faf3a85f3371af813ca56c1c75.exe	146
PID 5116 wrote to memory of 4144	5116	Pjdpelnc.exe	145
PID 5116 wrote to memory of 4144	5116	Pjdpelnc.exe	145
PID 5116 wrote to memory of 4144	5116	Pjdpelnc.exe	145
PID 4144 wrote to memory of 3280	4144	Cigcjj32.exe	209
PID 4144 wrote to memory of 3280	4144	Cigcjj32.exe	209
PID 4144 wrote to memory of 3280	4144	Cigcjj32.exe	209
PID 3280 wrote to memory of 2928	3280	svchost.exe	144
PID 3280 wrote to memory of 2928	3280	svchost.exe	144
PID 3280 wrote to memory of 2928	3280	svchost.exe	144
PID 2928 wrote to memory of 4288	2928	Qdoacabq.exe	92
PID 2928 wrote to memory of 4288	2928	Qdoacabq.exe	92
PID 2928 wrote to memory of 4288	2928	Qdoacabq.exe	92
PID 4288 wrote to memory of 4264	4288	Amjbbfgo.exe	93
PID 4288 wrote to memory of 4264	4288	Amjbbfgo.exe	93
PID 4288 wrote to memory of 4264	4288	Amjbbfgo.exe	93
PID 4264 wrote to memory of 3424	4264	Afbgkl32.exe	143
PID 4264 wrote to memory of 3424	4264	Afbgkl32.exe	143
PID 4264 wrote to memory of 3424	4264	Afbgkl32.exe	143
PID 3424 wrote to memory of 3444	3424	Adhdjpjf.exe	94
PID 3424 wrote to memory of 3444	3424	Adhdjpjf.exe	94
PID 3424 wrote to memory of 3444	3424	Adhdjpjf.exe	94
PID 3444 wrote to memory of 3340	3444	Akdilipp.exe	95
PID 3444 wrote to memory of 3340	3444	Akdilipp.exe	95
PID 3444 wrote to memory of 3340	3444	Akdilipp.exe	95
PID 3340 wrote to memory of 1460	3340	Bkgeainn.exe	142
PID 3340 wrote to memory of 1460	3340	Bkgeainn.exe	142
PID 3340 wrote to memory of 1460	3340	Bkgeainn.exe	142
PID 1460 wrote to memory of 5020	1460	Bdojjo32.exe	140
PID 1460 wrote to memory of 5020	1460	Bdojjo32.exe	140
PID 1460 wrote to memory of 5020	1460	Bdojjo32.exe	140
PID 5020 wrote to memory of 4568	5020	Bkibgh32.exe	96
PID 5020 wrote to memory of 4568	5020	Bkibgh32.exe	96
PID 5020 wrote to memory of 4568	5020	Bkibgh32.exe	96
PID 4568 wrote to memory of 1712	4568	Bpfkpp32.exe	139
PID 4568 wrote to memory of 1712	4568	Bpfkpp32.exe	139
PID 4568 wrote to memory of 1712	4568	Bpfkpp32.exe	139
PID 1712 wrote to memory of 4652	1712	Bogkmgba.exe	97
PID 1712 wrote to memory of 4652	1712	Bogkmgba.exe	97
PID 1712 wrote to memory of 4652	1712	Bogkmgba.exe	97
PID 4652 wrote to memory of 2916	4652	Bknlbhhe.exe	98
PID 4652 wrote to memory of 2916	4652	Bknlbhhe.exe	98
PID 4652 wrote to memory of 2916	4652	Bknlbhhe.exe	98
PID 2916 wrote to memory of 4964	2916	Bpkdjofm.exe	99
PID 2916 wrote to memory of 4964	2916	Bpkdjofm.exe	99
PID 2916 wrote to memory of 4964	2916	Bpkdjofm.exe	99
PID 4964 wrote to memory of 2168	4964	Bgelgi32.exe	211
PID 4964 wrote to memory of 2168	4964	Bgelgi32.exe	211
PID 4964 wrote to memory of 2168	4964	Bgelgi32.exe	211
PID 2168 wrote to memory of 3836	2168	Dijppjfd.exe	138
PID 2168 wrote to memory of 3836	2168	Dijppjfd.exe	138
PID 2168 wrote to memory of 3836	2168	Dijppjfd.exe	138
PID 3836 wrote to memory of 2812	3836	Cncnob32.exe	137
PID 3836 wrote to memory of 2812	3836	Cncnob32.exe	137
PID 3836 wrote to memory of 2812	3836	Cncnob32.exe	137
PID 2812 wrote to memory of 3568	2812	Cpbjkn32.exe	136
PID 2812 wrote to memory of 3568	2812	Cpbjkn32.exe	136
PID 2812 wrote to memory of 3568	2812	Cpbjkn32.exe	136
PID 3568 wrote to memory of 2500	3568	Cglbhhga.exe	135
PID 3568 wrote to memory of 2500	3568	Cglbhhga.exe	135
PID 3568 wrote to memory of 2500	3568	Cglbhhga.exe	135
PID 2500 wrote to memory of 1968	2500	Cnfkdb32.exe	134

C:\Users\Admin\AppData\Local\Temp\a8ecb6faf3a85f3371af813ca56c1c75.exe
"C:\Users\Admin\AppData\Local\Temp\a8ecb6faf3a85f3371af813ca56c1c75.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\Pjdpelnc.exe
  C:\Windows\system32\Pjdpelnc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5116

C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
1⤵
PID:3280
- C:\Windows\SysWOW64\Qdoacabq.exe
  C:\Windows\system32\Qdoacabq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2928

C:\Windows\SysWOW64\Amjbbfgo.exe
C:\Windows\system32\Amjbbfgo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\Afbgkl32.exe
  C:\Windows\system32\Afbgkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\Adhdjpjf.exe
    C:\Windows\system32\Adhdjpjf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3424

C:\Windows\SysWOW64\Akdilipp.exe
C:\Windows\system32\Akdilipp.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\Bkgeainn.exe
  C:\Windows\system32\Bkgeainn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\Bdojjo32.exe
    C:\Windows\system32\Bdojjo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1460

C:\Windows\SysWOW64\Bpfkpp32.exe
C:\Windows\system32\Bpfkpp32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\Bogkmgba.exe
  C:\Windows\system32\Bogkmgba.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1712

C:\Windows\SysWOW64\Bknlbhhe.exe
C:\Windows\system32\Bknlbhhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\Bpkdjofm.exe
  C:\Windows\system32\Bpkdjofm.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Bgelgi32.exe
    C:\Windows\system32\Bgelgi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\Cgifbhid.exe
      C:\Windows\system32\Cgifbhid.exe
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Lihfmb32.exe
        
        C:\Windows\system32\Lihfmb32.exe
        6⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Llgcin32.exe
        
        C:\Windows\system32\Llgcin32.exe
        7⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Loeoei32.exe
        
        C:\Windows\system32\Loeoei32.exe
        8⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Mbqkfhfh.exe
        
        C:\Windows\system32\Mbqkfhfh.exe
        9⤵
        
        PID:7636
- C:\Windows\SysWOW64\Mpghel32.exe
  C:\Windows\system32\Mpghel32.exe
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\Mojhphij.exe
    C:\Windows\system32\Mojhphij.exe
    3⤵
    - Modifies registry class
    PID:5816

C:\Windows\SysWOW64\Coegoe32.exe
C:\Windows\system32\Coegoe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:688
- C:\Windows\SysWOW64\Cgqlcg32.exe
  C:\Windows\system32\Cgqlcg32.exe
  2⤵
  PID:1272

C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4008
- C:\Windows\SysWOW64\Dpkmal32.exe
  C:\Windows\system32\Dpkmal32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:1800

C:\Windows\SysWOW64\Dkcndeen.exe
C:\Windows\system32\Dkcndeen.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4212
- C:\Windows\SysWOW64\Ddkbmj32.exe
  C:\Windows\system32\Ddkbmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4352

C:\Windows\SysWOW64\Dqnjgl32.exe
C:\Windows\system32\Dqnjgl32.exe
1⤵
PID:3040

C:\Windows\SysWOW64\Edeeci32.exe
C:\Windows\system32\Edeeci32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1176
- C:\Windows\SysWOW64\Enmjlojd.exe
  C:\Windows\system32\Enmjlojd.exe
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\Edgbii32.exe
    C:\Windows\system32\Edgbii32.exe
    3⤵
    - Executes dropped EXE
    PID:3460

C:\Windows\SysWOW64\Egened32.exe
C:\Windows\system32\Egened32.exe
1⤵
PID:2232
- C:\Windows\SysWOW64\Enpfan32.exe
  C:\Windows\system32\Enpfan32.exe
  2⤵
  - Executes dropped EXE
  PID:1516

C:\Windows\SysWOW64\Fbmohmoh.exe
C:\Windows\system32\Fbmohmoh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2104
- C:\Windows\SysWOW64\Figgdg32.exe
  C:\Windows\system32\Figgdg32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4896
- - C:\Windows\SysWOW64\Fbplml32.exe
    C:\Windows\system32\Fbplml32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:3140

C:\Windows\SysWOW64\Fijdjfdb.exe
C:\Windows\system32\Fijdjfdb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3692
- C:\Windows\SysWOW64\Fbbicl32.exe
  C:\Windows\system32\Fbbicl32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5036
- - C:\Windows\SysWOW64\Feqeog32.exe
    C:\Windows\system32\Feqeog32.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\Fniihmpf.exe
      C:\Windows\system32\Fniihmpf.exe
      4⤵
      Executes dropped EXE
      PID:4724
    - - C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368

C:\Windows\SysWOW64\Fgcjfbed.exe
C:\Windows\system32\Fgcjfbed.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2632
- C:\Windows\SysWOW64\Galoohke.exe
  C:\Windows\system32\Galoohke.exe
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\Gnpphljo.exe
    C:\Windows\system32\Gnpphljo.exe
    3⤵
    - Executes dropped EXE
    PID:5144
  - - C:\Windows\SysWOW64\Icogcjde.exe
      C:\Windows\system32\Icogcjde.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:5180
- - C:\Windows\SysWOW64\Obccpj32.exe
    C:\Windows\system32\Obccpj32.exe
    3⤵
    PID:5228
  - - C:\Windows\SysWOW64\Ojkkah32.exe
      C:\Windows\system32\Ojkkah32.exe
      4⤵
      PID:6560

C:\Windows\SysWOW64\Fbgbnkfm.exe
C:\Windows\system32\Fbgbnkfm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2080

C:\Windows\SysWOW64\Fnkfmm32.exe
C:\Windows\system32\Fnkfmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4596

C:\Windows\SysWOW64\Fganqbgg.exe
C:\Windows\system32\Fganqbgg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4300
- C:\Windows\SysWOW64\Klljhe32.exe
  C:\Windows\system32\Klljhe32.exe
  2⤵
  PID:468
- - C:\Windows\SysWOW64\Kdcbic32.exe
    C:\Windows\system32\Kdcbic32.exe
    3⤵
    PID:6428
  - - C:\Windows\SysWOW64\Lemagjjj.exe
      C:\Windows\system32\Lemagjjj.exe
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\Lpcedbjp.exe
        
        C:\Windows\system32\Lpcedbjp.exe
        5⤵
        
        PID:7620
      - C:\Windows\SysWOW64\Lepnli32.exe
        
        C:\Windows\system32\Lepnli32.exe
        6⤵
        
        PID:7616

C:\Windows\SysWOW64\Finnef32.exe
C:\Windows\system32\Finnef32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420

C:\Windows\SysWOW64\Ekcgkb32.exe
C:\Windows\system32\Ekcgkb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:408

C:\Windows\SysWOW64\Edionhpn.exe
C:\Windows\system32\Edionhpn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544

C:\Windows\SysWOW64\Egaejeej.exe
C:\Windows\system32\Egaejeej.exe
1⤵
PID:920

C:\Windows\SysWOW64\Ehlhih32.exe
C:\Windows\system32\Ehlhih32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:628

C:\Windows\SysWOW64\Eqdpgk32.exe
C:\Windows\system32\Eqdpgk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1056

C:\Windows\SysWOW64\Dgeenfog.exe
C:\Windows\system32\Dgeenfog.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116

C:\Windows\SysWOW64\Dafppp32.exe
C:\Windows\system32\Dafppp32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3176

C:\Windows\SysWOW64\Cdpcal32.exe
C:\Windows\system32\Cdpcal32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1968

C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\Cglbhhga.exe
C:\Windows\system32\Cglbhhga.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\Jhdlncnl.exe
  C:\Windows\system32\Jhdlncnl.exe
  2⤵
  PID:7720
- - C:\Windows\SysWOW64\Jpkdoq32.exe
    C:\Windows\system32\Jpkdoq32.exe
    3⤵
    PID:8064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 412
      4⤵
      Program crash
      PID:6636

C:\Windows\SysWOW64\Cpbjkn32.exe
C:\Windows\system32\Cpbjkn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\Bkibgh32.exe
C:\Windows\system32\Bkibgh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\Ppahmb32.exe
C:\Windows\system32\Ppahmb32.exe
1⤵
- Executes dropped EXE
PID:4144
- C:\Windows\SysWOW64\Djipbbne.exe
  C:\Windows\system32\Djipbbne.exe
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\Dijppjfd.exe
    C:\Windows\system32\Dijppjfd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\Djklgb32.exe
      C:\Windows\system32\Djklgb32.exe
      4⤵
      PID:3220
    - - C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        5⤵
        
        PID:3488

C:\Windows\SysWOW64\Igjbci32.exe
C:\Windows\system32\Igjbci32.exe
1⤵
- Executes dropped EXE
PID:5224
- C:\Windows\SysWOW64\Indkpcdk.exe
  C:\Windows\system32\Indkpcdk.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:5264
- - C:\Windows\SysWOW64\Iencmm32.exe
    C:\Windows\system32\Iencmm32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:5304
- - C:\Windows\SysWOW64\Locbpi32.exe
    C:\Windows\system32\Locbpi32.exe
    3⤵
    PID:6096
  - - C:\Windows\SysWOW64\Lbnnphhk.exe
      C:\Windows\system32\Lbnnphhk.exe
      4⤵
      PID:3836

C:\Windows\SysWOW64\Inidkb32.exe
C:\Windows\system32\Inidkb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5508
- C:\Windows\SysWOW64\Icfmci32.exe
  C:\Windows\system32\Icfmci32.exe
  2⤵
  - Modifies registry class
  PID:5552
- - C:\Windows\SysWOW64\Ijpepcfj.exe
    C:\Windows\system32\Ijpepcfj.exe
    3⤵
    PID:5592
  - - C:\Windows\SysWOW64\Ibgmaqfl.exe
      C:\Windows\system32\Ibgmaqfl.exe
      4⤵
      PID:5636
    - - C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        5⤵
        
        PID:5676
      - C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        7⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
    - - C:\Windows\SysWOW64\Bckknd32.exe
        
        C:\Windows\system32\Bckknd32.exe
        5⤵
        
        PID:4560
      - C:\Windows\SysWOW64\Bkbcpb32.exe
        
        C:\Windows\system32\Bkbcpb32.exe
        6⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Bnaolm32.exe
        
        C:\Windows\system32\Bnaolm32.exe
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Bgicdc32.exe
        
        C:\Windows\system32\Bgicdc32.exe
        8⤵
        
        PID:5932

C:\Windows\SysWOW64\Ilkhog32.exe
C:\Windows\system32\Ilkhog32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5464

C:\Windows\SysWOW64\Jdmcdhhe.exe
C:\Windows\system32\Jdmcdhhe.exe
1⤵
PID:5832
- C:\Windows\SysWOW64\Jjgkab32.exe
  C:\Windows\system32\Jjgkab32.exe
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\Jaqcnl32.exe
    C:\Windows\system32\Jaqcnl32.exe
    3⤵
    - Modifies registry class
    PID:5916
  - - C:\Windows\SysWOW64\Jjihfbno.exe
      C:\Windows\system32\Jjihfbno.exe
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        5⤵
        
        PID:6012
      - C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052

C:\Windows\SysWOW64\Ieqpbm32.exe
C:\Windows\system32\Ieqpbm32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5428

C:\Windows\SysWOW64\Jlidpe32.exe
C:\Windows\system32\Jlidpe32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6092
- C:\Windows\SysWOW64\Jbbmmo32.exe
  C:\Windows\system32\Jbbmmo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6132
- - C:\Windows\SysWOW64\Jhoeef32.exe
    C:\Windows\system32\Jhoeef32.exe
    3⤵
    - Modifies registry class
    PID:5188
  - - C:\Windows\SysWOW64\Kdffjgpj.exe
      C:\Windows\system32\Kdffjgpj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5272
    - - C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
      - C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        8⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Jajdai32.exe
        
        C:\Windows\system32\Jajdai32.exe
        7⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Jialbf32.exe
        
        C:\Windows\system32\Jialbf32.exe
        8⤵
        
        PID:3568

C:\Windows\SysWOW64\Ibbcfa32.exe
C:\Windows\system32\Ibbcfa32.exe
1⤵
PID:5384

C:\Windows\SysWOW64\Ilhkigcd.exe
C:\Windows\system32\Ilhkigcd.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5344

C:\Windows\SysWOW64\Kocphojh.exe
C:\Windows\system32\Kocphojh.exe
1⤵
PID:5664
- C:\Windows\SysWOW64\Kaaldjil.exe
  C:\Windows\system32\Kaaldjil.exe
  2⤵
  - Drops file in System32 directory
  PID:5740
- - C:\Windows\SysWOW64\Kdpiqehp.exe
    C:\Windows\system32\Kdpiqehp.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:5804

C:\Windows\SysWOW64\Klgqabib.exe
C:\Windows\system32\Klgqabib.exe
1⤵
PID:5860
- C:\Windows\SysWOW64\Loemnnhe.exe
  C:\Windows\system32\Loemnnhe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5956
- - C:\Windows\SysWOW64\Ldbefe32.exe
    C:\Windows\system32\Ldbefe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:6000
  - - C:\Windows\SysWOW64\Lklnconj.exe
      C:\Windows\system32\Lklnconj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      Modifies registry class
      PID:6084
    - - C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        5⤵
        
        PID:4164
      - C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        7⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Admkgifd.exe
        
        C:\Windows\system32\Admkgifd.exe
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Akgcdc32.exe
        
        C:\Windows\system32\Akgcdc32.exe
        9⤵
        Drops file in System32 directory
        
        PID:5732

C:\Windows\SysWOW64\Mekdffee.exe
C:\Windows\system32\Mekdffee.exe
1⤵
PID:5500
- C:\Windows\SysWOW64\Mhiabbdi.exe
  C:\Windows\system32\Mhiabbdi.exe
  2⤵
  - Modifies registry class
  PID:5624
- - C:\Windows\SysWOW64\Mkgmoncl.exe
    C:\Windows\system32\Mkgmoncl.exe
    3⤵
    PID:5732
  - - C:\Windows\SysWOW64\Maaekg32.exe
      C:\Windows\system32\Maaekg32.exe
      4⤵
      PID:5868
    - - C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        5⤵
        
        PID:6008
  - - C:\Windows\SysWOW64\Apcllk32.exe
      C:\Windows\system32\Apcllk32.exe
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\Agndidce.exe
        
        C:\Windows\system32\Agndidce.exe
        5⤵
        
        PID:5148

C:\Windows\SysWOW64\Moefdljc.exe
C:\Windows\system32\Moefdljc.exe
1⤵
- Modifies registry class
PID:6120
- C:\Windows\SysWOW64\Mepnaf32.exe
  C:\Windows\system32\Mepnaf32.exe
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\Pgmkbg32.exe
    C:\Windows\system32\Pgmkbg32.exe
    3⤵
    PID:5820
  - - C:\Windows\SysWOW64\Pilgnb32.exe
      C:\Windows\system32\Pilgnb32.exe
      4⤵
      PID:5396
    - - C:\Windows\SysWOW64\Ppepkmhi.exe
        
        C:\Windows\system32\Ppepkmhi.exe
        5⤵
        
        PID:6364
      - C:\Windows\SysWOW64\Pgphggpe.exe
        
        C:\Windows\system32\Pgphggpe.exe
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040

C:\Windows\SysWOW64\Mhnjna32.exe
C:\Windows\system32\Mhnjna32.exe
1⤵
- Drops file in System32 directory
PID:5488
- C:\Windows\SysWOW64\Mohbjkgp.exe
  C:\Windows\system32\Mohbjkgp.exe
  2⤵
  PID:5612

C:\Windows\SysWOW64\Mebkge32.exe
C:\Windows\system32\Mebkge32.exe
1⤵
PID:5816
- C:\Windows\SysWOW64\Mhpgca32.exe
  C:\Windows\system32\Mhpgca32.exe
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\Mkocol32.exe
    C:\Windows\system32\Mkocol32.exe
    3⤵
    - Drops file in System32 directory
    PID:5496
  - - C:\Windows\SysWOW64\Ndnnianm.exe
      C:\Windows\system32\Ndnnianm.exe
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\Phkaqqoi.exe
        
        C:\Windows\system32\Phkaqqoi.exe
        5⤵
        
        PID:4412
- - C:\Windows\SysWOW64\Pindcboi.exe
    C:\Windows\system32\Pindcboi.exe
    3⤵
    PID:5352
  - - C:\Windows\SysWOW64\Pphlpl32.exe
      C:\Windows\system32\Pphlpl32.exe
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\Pdchakoo.exe
        
        C:\Windows\system32\Pdchakoo.exe
        5⤵
        
        PID:5752
- C:\Windows\SysWOW64\Mfaqafjl.exe
  C:\Windows\system32\Mfaqafjl.exe
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\Miomnaip.exe
    C:\Windows\system32\Miomnaip.exe
    3⤵
    PID:1484

C:\Windows\SysWOW64\Bqnemp32.exe
C:\Windows\system32\Bqnemp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:960
- C:\Windows\SysWOW64\Cinpdl32.exe
  C:\Windows\system32\Cinpdl32.exe
  2⤵
  - Modifies registry class
  PID:1476
- - C:\Windows\SysWOW64\Cjaiac32.exe
    C:\Windows\system32\Cjaiac32.exe
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\Calbnnkj.exe
      C:\Windows\system32\Calbnnkj.exe
      4⤵
      PID:3960
    - - C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\Cjfclcpg.exe
        
        C:\Windows\system32\Cjfclcpg.exe
        6⤵
        Drops file in System32 directory
        
        PID:2880

C:\Windows\SysWOW64\Capkim32.exe
C:\Windows\system32\Capkim32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920
- C:\Windows\SysWOW64\Cigcjj32.exe
  C:\Windows\system32\Cigcjj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Suspicious use of WriteProcessMemory
  PID:4144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8064 -ip 8064
  2⤵
  PID:3456

C:\Windows\SysWOW64\Deqqek32.exe
C:\Windows\system32\Deqqek32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176
- C:\Windows\SysWOW64\Dgomaf32.exe
  C:\Windows\system32\Dgomaf32.exe
  2⤵
  PID:2836

C:\Windows\SysWOW64\Djmima32.exe
C:\Windows\system32\Djmima32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1296
- C:\Windows\SysWOW64\Dnienqbi.exe
  C:\Windows\system32\Dnienqbi.exe
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\Decmjjie.exe
    C:\Windows\system32\Decmjjie.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:872

C:\Windows\SysWOW64\Dlmegd32.exe
C:\Windows\system32\Dlmegd32.exe
1⤵
PID:3208
- C:\Windows\SysWOW64\Deejpjgc.exe
  C:\Windows\system32\Deejpjgc.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:1604
- - C:\Windows\SysWOW64\Dbijinfl.exe
    C:\Windows\system32\Dbijinfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    - Modifies registry class
    PID:1240
  - - C:\Windows\SysWOW64\Dhfcae32.exe
      C:\Windows\system32\Dhfcae32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:3244
    - - C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\Ebnddn32.exe
        
        C:\Windows\system32\Ebnddn32.exe
        6⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Eelpqi32.exe
        
        C:\Windows\system32\Eelpqi32.exe
        7⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Ehmibdol.exe
        
        C:\Windows\system32\Ehmibdol.exe
        9⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Eliecc32.exe
        
        C:\Windows\system32\Eliecc32.exe
        10⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Ebbmpmnb.exe
        
        C:\Windows\system32\Ebbmpmnb.exe
        11⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Dhcdnq32.exe
        
        C:\Windows\system32\Dhcdnq32.exe
        9⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Djbpjl32.exe
        
        C:\Windows\system32\Djbpjl32.exe
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Bphgoe32.exe
        
        C:\Windows\system32\Bphgoe32.exe
        10⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\Hfmigmgf.exe
        
        C:\Windows\system32\Hfmigmgf.exe
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Ihlechfj.exe
        
        C:\Windows\system32\Ihlechfj.exe
        8⤵
        
        PID:7496

C:\Windows\SysWOW64\Eimelg32.exe
C:\Windows\system32\Eimelg32.exe
1⤵
PID:2980
- C:\Windows\SysWOW64\Ehofhdli.exe
  C:\Windows\system32\Ehofhdli.exe
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\Elkbhbeb.exe
    C:\Windows\system32\Elkbhbeb.exe
    3⤵
    PID:5380
  - - C:\Windows\SysWOW64\Eahjqicj.exe
      C:\Windows\system32\Eahjqicj.exe
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        5⤵
        
        PID:4912
      - C:\Windows\SysWOW64\Fajgfiag.exe
        
        C:\Windows\system32\Fajgfiag.exe
        6⤵
        
        PID:3396

C:\Windows\SysWOW64\Fhdocc32.exe
C:\Windows\system32\Fhdocc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1272
- C:\Windows\SysWOW64\Fkbkoo32.exe
  C:\Windows\system32\Fkbkoo32.exe
  2⤵
  PID:1496

C:\Windows\SysWOW64\Fbjcplhj.exe
C:\Windows\system32\Fbjcplhj.exe
1⤵
PID:3704
- C:\Windows\SysWOW64\Fehplggn.exe
  C:\Windows\system32\Fehplggn.exe
  2⤵
  PID:4364

C:\Windows\SysWOW64\Fkehdnee.exe
C:\Windows\system32\Fkehdnee.exe
1⤵
- Executes dropped EXE
PID:3040
- C:\Windows\SysWOW64\Fblpflfg.exe
  C:\Windows\system32\Fblpflfg.exe
  2⤵
  PID:5312
- - C:\Windows\SysWOW64\Fifhbf32.exe
    C:\Windows\system32\Fifhbf32.exe
    3⤵
    - Executes dropped EXE
    PID:2232
  - - C:\Windows\SysWOW64\Fhiinbdo.exe
      C:\Windows\system32\Fhiinbdo.exe
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\Faamghko.exe
        
        C:\Windows\system32\Faamghko.exe
        5⤵
        
        PID:2060
      - C:\Windows\SysWOW64\Golcak32.exe
        
        C:\Windows\system32\Golcak32.exe
        6⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Gkcdfl32.exe
        
        C:\Windows\system32\Gkcdfl32.exe
        7⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Gooqfkan.exe
        
        C:\Windows\system32\Gooqfkan.exe
        8⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Dmcilgco.exe
        
        C:\Windows\system32\Dmcilgco.exe
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Daneme32.exe
        
        C:\Windows\system32\Daneme32.exe
        9⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\Dkgjekai.exe
        
        C:\Windows\system32\Dkgjekai.exe
        10⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Bddcocff.exe
        
        C:\Windows\system32\Bddcocff.exe
        10⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Bgbpkoej.exe
        
        C:\Windows\system32\Bgbpkoej.exe
        11⤵
        
        PID:8020

C:\Windows\SysWOW64\Giddddad.exe
C:\Windows\system32\Giddddad.exe
1⤵
PID:4488
- C:\Windows\SysWOW64\Glbapoqh.exe
  C:\Windows\system32\Glbapoqh.exe
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\Gclimi32.exe
    C:\Windows\system32\Gclimi32.exe
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\Bhhiocdg.exe
      C:\Windows\system32\Bhhiocdg.exe
      4⤵
      PID:2936
    - - C:\Windows\SysWOW64\Bkgekock.exe
        
        C:\Windows\system32\Bkgekock.exe
        5⤵
        
        PID:1248

C:\Windows\SysWOW64\Gaoihfoo.exe
C:\Windows\system32\Gaoihfoo.exe
1⤵
PID:2832
- C:\Windows\SysWOW64\Hifaic32.exe
  C:\Windows\system32\Hifaic32.exe
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\Hleneo32.exe
    C:\Windows\system32\Hleneo32.exe
    3⤵
    PID:4284

C:\Windows\SysWOW64\Hocjaj32.exe
C:\Windows\system32\Hocjaj32.exe
1⤵
PID:3764
- C:\Windows\SysWOW64\Hembndee.exe
  C:\Windows\system32\Hembndee.exe
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\Hkjjfkcm.exe
    C:\Windows\system32\Hkjjfkcm.exe
    3⤵
    PID:3540
  - - C:\Windows\SysWOW64\Hikkdc32.exe
      C:\Windows\system32\Hikkdc32.exe
      4⤵
      PID:3664
    - - C:\Windows\SysWOW64\Hligqnjp.exe
        
        C:\Windows\system32\Hligqnjp.exe
        5⤵
        
        PID:5116
      - C:\Windows\SysWOW64\Hafpiehg.exe
        
        C:\Windows\system32\Hafpiehg.exe
        6⤵
        
        PID:4944

C:\Windows\SysWOW64\Himgjbii.exe
C:\Windows\system32\Himgjbii.exe
1⤵
PID:428
- C:\Windows\SysWOW64\Hllcfnhm.exe
  C:\Windows\system32\Hllcfnhm.exe
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\Hojpbigq.exe
    C:\Windows\system32\Hojpbigq.exe
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\Hhbdko32.exe
      C:\Windows\system32\Hhbdko32.exe
      4⤵
      PID:400
    - - C:\Windows\SysWOW64\Hkaqgjme.exe
        
        C:\Windows\system32\Hkaqgjme.exe
        5⤵
        
        PID:1364
      - C:\Windows\SysWOW64\Hchihhng.exe
        
        C:\Windows\system32\Hchihhng.exe
        6⤵
        
        PID:1864

C:\Windows\SysWOW64\Iefedcmk.exe
C:\Windows\system32\Iefedcmk.exe
1⤵
PID:2912
- C:\Windows\SysWOW64\Iheaqolo.exe
  C:\Windows\system32\Iheaqolo.exe
  2⤵
  PID:60

C:\Windows\SysWOW64\Ilqmam32.exe
C:\Windows\system32\Ilqmam32.exe
1⤵
PID:5280
- C:\Windows\SysWOW64\Iooimi32.exe
  C:\Windows\system32\Iooimi32.exe
  2⤵
  PID:6184

C:\Windows\SysWOW64\Ieiajckh.exe
C:\Windows\system32\Ieiajckh.exe
1⤵
PID:6232
- C:\Windows\SysWOW64\Ihgnfnjl.exe
  C:\Windows\system32\Ihgnfnjl.exe
  2⤵
  PID:6276
- - C:\Windows\SysWOW64\Ikejbjip.exe
    C:\Windows\system32\Ikejbjip.exe
    3⤵
    PID:6332
  - - C:\Windows\SysWOW64\Icmbcg32.exe
      C:\Windows\system32\Icmbcg32.exe
      4⤵
      PID:6380
    - - C:\Windows\SysWOW64\Ijgjpaao.exe
        
        C:\Windows\system32\Ijgjpaao.exe
        5⤵
        
        PID:6456

C:\Windows\SysWOW64\Icakofel.exe
C:\Windows\system32\Icakofel.exe
1⤵
PID:6496
- C:\Windows\SysWOW64\Jfbdpabn.exe
  C:\Windows\system32\Jfbdpabn.exe
  2⤵
  PID:6548
- - C:\Windows\SysWOW64\Jbieebha.exe
    C:\Windows\system32\Jbieebha.exe
    3⤵
    PID:6608

C:\Windows\SysWOW64\Jomeoggk.exe
C:\Windows\system32\Jomeoggk.exe
1⤵
PID:6660
- C:\Windows\SysWOW64\Jjbjlpga.exe
  C:\Windows\system32\Jjbjlpga.exe
  2⤵
  PID:6704

C:\Windows\SysWOW64\Jbnopbdl.exe
C:\Windows\system32\Jbnopbdl.exe
1⤵
PID:6756
- C:\Windows\SysWOW64\Jmccnk32.exe
  C:\Windows\system32\Jmccnk32.exe
  2⤵
  PID:6796

C:\Windows\SysWOW64\Jhjcbljf.exe
C:\Windows\system32\Jhjcbljf.exe
1⤵
PID:6868
- C:\Windows\SysWOW64\Jkhpogij.exe
  C:\Windows\system32\Jkhpogij.exe
  2⤵
  PID:6920

C:\Windows\SysWOW64\Kjipmoai.exe
C:\Windows\system32\Kjipmoai.exe
1⤵
PID:6964
- C:\Windows\SysWOW64\Kcbded32.exe
  C:\Windows\system32\Kcbded32.exe
  2⤵
  PID:7012
- - C:\Windows\SysWOW64\Kkmijf32.exe
    C:\Windows\system32\Kkmijf32.exe
    3⤵
    PID:7064
- C:\Windows\SysWOW64\Lblakh32.exe
  C:\Windows\system32\Lblakh32.exe
  2⤵
  PID:6444
- - C:\Windows\SysWOW64\Lfgnkgbf.exe
    C:\Windows\system32\Lfgnkgbf.exe
    3⤵
    PID:8176

C:\Windows\SysWOW64\Kicfijal.exe
C:\Windows\system32\Kicfijal.exe
1⤵
PID:5156
- C:\Windows\SysWOW64\Kkabefqp.exe
  C:\Windows\system32\Kkabefqp.exe
  2⤵
  PID:6200

C:\Windows\SysWOW64\Kkofofbb.exe
C:\Windows\system32\Kkofofbb.exe
1⤵
PID:7124

C:\Windows\SysWOW64\Kmaooihb.exe
C:\Windows\system32\Kmaooihb.exe
1⤵
PID:5404
- C:\Windows\SysWOW64\Lckglc32.exe
  C:\Windows\system32\Lckglc32.exe
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\Lfjchn32.exe
    C:\Windows\system32\Lfjchn32.exe
    3⤵
    PID:3224

C:\Windows\SysWOW64\Lihpdj32.exe
C:\Windows\system32\Lihpdj32.exe
1⤵
PID:6440
- C:\Windows\SysWOW64\Lmcldhfp.exe
  C:\Windows\system32\Lmcldhfp.exe
  2⤵
  PID:6316
- - C:\Windows\SysWOW64\Lcndab32.exe
    C:\Windows\system32\Lcndab32.exe
    3⤵
    PID:5728

C:\Windows\SysWOW64\Lflpmn32.exe
C:\Windows\system32\Lflpmn32.exe
1⤵
PID:5808
- C:\Windows\SysWOW64\Lmfhjhdm.exe
  C:\Windows\system32\Lmfhjhdm.exe
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\Lcpqgbkj.exe
    C:\Windows\system32\Lcpqgbkj.exe
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\Lfnmcnjn.exe
      C:\Windows\system32\Lfnmcnjn.exe
      4⤵
      PID:5936
    - - C:\Windows\SysWOW64\Lmkbeg32.exe
        
        C:\Windows\system32\Lmkbeg32.exe
        5⤵
        
        PID:5512
      - C:\Windows\SysWOW64\Mmokpglb.exe
        
        C:\Windows\system32\Mmokpglb.exe
        6⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mjcljk32.exe
        
        C:\Windows\system32\Mjcljk32.exe
        7⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Mclpbqal.exe
        
        C:\Windows\system32\Mclpbqal.exe
        8⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mfjlolpp.exe
        
        C:\Windows\system32\Mfjlolpp.exe
        9⤵
        
        PID:6896

C:\Windows\SysWOW64\Mmdekf32.exe
C:\Windows\system32\Mmdekf32.exe
1⤵
PID:6940
- C:\Windows\SysWOW64\Mpbaga32.exe
  C:\Windows\system32\Mpbaga32.exe
  2⤵
  PID:7000
- - C:\Windows\SysWOW64\Mflidl32.exe
    C:\Windows\system32\Mflidl32.exe
    3⤵
    PID:6056
  - - C:\Windows\SysWOW64\Njmopj32.exe
      C:\Windows\system32\Njmopj32.exe
      4⤵
      PID:7116
    - - C:\Windows\SysWOW64\Nfcoekhe.exe
        
        C:\Windows\system32\Nfcoekhe.exe
        5⤵
        
        PID:7152
      - C:\Windows\SysWOW64\Nboiekjd.exe
        
        C:\Windows\system32\Nboiekjd.exe
        6⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Odnfonag.exe
        
        C:\Windows\system32\Odnfonag.exe
        7⤵
        
        PID:6272

C:\Windows\SysWOW64\Mihikgod.exe
C:\Windows\system32\Mihikgod.exe
1⤵
PID:5744

C:\Windows\SysWOW64\Oikngeoo.exe
C:\Windows\system32\Oikngeoo.exe
1⤵
PID:6408
- C:\Windows\SysWOW64\Omgjhc32.exe
  C:\Windows\system32\Omgjhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4028

C:\Windows\SysWOW64\Oinkmdml.exe
C:\Windows\system32\Oinkmdml.exe
1⤵
PID:6580
- C:\Windows\SysWOW64\Ollgiplp.exe
  C:\Windows\system32\Ollgiplp.exe
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\Obfpejcl.exe
    C:\Windows\system32\Obfpejcl.exe
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\Ojmgggdo.exe
      C:\Windows\system32\Ojmgggdo.exe
      4⤵
      PID:6752
    - - C:\Windows\SysWOW64\Omnqhbap.exe
        
        C:\Windows\system32\Omnqhbap.exe
        5⤵
        
        PID:6020

C:\Windows\SysWOW64\Oplmdnpc.exe
C:\Windows\system32\Oplmdnpc.exe
1⤵
PID:5136
- C:\Windows\SysWOW64\Obkiqi32.exe
  C:\Windows\system32\Obkiqi32.exe
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\Pidamcgd.exe
    C:\Windows\system32\Pidamcgd.exe
    3⤵
    PID:6884
  - - C:\Windows\SysWOW64\Plcmiofg.exe
      C:\Windows\system32\Plcmiofg.exe
      4⤵
      PID:6912

C:\Windows\SysWOW64\Pdjeklfj.exe
C:\Windows\system32\Pdjeklfj.exe
1⤵
PID:5952
- C:\Windows\SysWOW64\Pghaghfn.exe
  C:\Windows\system32\Pghaghfn.exe
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\Pignccea.exe
    C:\Windows\system32\Pignccea.exe
    3⤵
    PID:3152

C:\Windows\SysWOW64\Plejoode.exe
C:\Windows\system32\Plejoode.exe
1⤵
PID:4164
- C:\Windows\SysWOW64\Ppafpm32.exe
  C:\Windows\system32\Ppafpm32.exe
  2⤵
  PID:6016

C:\Windows\SysWOW64\Pboblika.exe
C:\Windows\system32\Pboblika.exe
1⤵
PID:5540
- C:\Windows\SysWOW64\Piikhc32.exe
  C:\Windows\system32\Piikhc32.exe
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\Plhgdn32.exe
    C:\Windows\system32\Plhgdn32.exe
    3⤵
    PID:7148
  - - C:\Windows\SysWOW64\Pdoofl32.exe
      C:\Windows\system32\Pdoofl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:5256

C:\Windows\SysWOW64\Pgbdmfnc.exe
C:\Windows\system32\Pgbdmfnc.exe
1⤵
PID:5984
- C:\Windows\SysWOW64\Qipqibmf.exe
  C:\Windows\system32\Qipqibmf.exe
  2⤵
  PID:3416

C:\Windows\SysWOW64\Qlomemlj.exe
C:\Windows\system32\Qlomemlj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5592
- C:\Windows\SysWOW64\Qdfefkll.exe
  C:\Windows\system32\Qdfefkll.exe
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\Qkpmcddi.exe
    C:\Windows\system32\Qkpmcddi.exe
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\Qlajkm32.exe
      C:\Windows\system32\Qlajkm32.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:5832
    - - C:\Windows\SysWOW64\Akdfndpd.exe
        
        C:\Windows\system32\Akdfndpd.exe
        5⤵
        
        PID:7052
      - C:\Windows\SysWOW64\Alfcflfb.exe
        
        C:\Windows\system32\Alfcflfb.exe
        6⤵
        Modifies registry class
        
        PID:5448

C:\Windows\SysWOW64\Ajlpepbi.exe
C:\Windows\system32\Ajlpepbi.exe
1⤵
PID:6504
- C:\Windows\SysWOW64\Apfhajjf.exe
  C:\Windows\system32\Apfhajjf.exe
  2⤵
  PID:6648
- - C:\Windows\SysWOW64\Agpqnd32.exe
    C:\Windows\system32\Agpqnd32.exe
    3⤵
    PID:5528
  - - C:\Windows\SysWOW64\Almifk32.exe
      C:\Windows\system32\Almifk32.exe
      4⤵
      PID:6064
    - - C:\Windows\SysWOW64\Acgacegg.exe
        
        C:\Windows\system32\Acgacegg.exe
        5⤵
        
        PID:5284

C:\Windows\SysWOW64\Bknidbhi.exe
C:\Windows\system32\Bknidbhi.exe
1⤵
PID:7020
- C:\Windows\SysWOW64\Bnlfqngm.exe
  C:\Windows\system32\Bnlfqngm.exe
  2⤵
  PID:5620

C:\Windows\SysWOW64\Bpkbmi32.exe
C:\Windows\system32\Bpkbmi32.exe
1⤵
PID:5332
- C:\Windows\SysWOW64\Bdfnmhnj.exe
  C:\Windows\system32\Bdfnmhnj.exe
  2⤵
  PID:6112

C:\Windows\SysWOW64\Bgdjicmn.exe
C:\Windows\system32\Bgdjicmn.exe
1⤵
- Executes dropped EXE
PID:5384
- C:\Windows\SysWOW64\Bnobfn32.exe
  C:\Windows\system32\Bnobfn32.exe
  2⤵
  PID:6652
- - C:\Windows\SysWOW64\Bpmobi32.exe
    C:\Windows\system32\Bpmobi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:5636

C:\Windows\SysWOW64\Bjhpqn32.exe
C:\Windows\system32\Bjhpqn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588
- C:\Windows\SysWOW64\Bnclamqe.exe
  C:\Windows\system32\Bnclamqe.exe
  2⤵
  PID:6076

C:\Windows\SysWOW64\Bqahmhpi.exe
C:\Windows\system32\Bqahmhpi.exe
1⤵
PID:5868
- C:\Windows\SysWOW64\Bcpdidol.exe
  C:\Windows\system32\Bcpdidol.exe
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\Bkglkapo.exe
    C:\Windows\system32\Bkglkapo.exe
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\Mkdagm32.exe
      C:\Windows\system32\Mkdagm32.exe
      4⤵
      PID:5200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Drops file in System32 directory
PID:6008

C:\Windows\SysWOW64\Ofmbkipk.exe
C:\Windows\system32\Ofmbkipk.exe
1⤵
PID:1284

C:\Windows\SysWOW64\Mnbnchlb.exe
C:\Windows\system32\Mnbnchlb.exe
1⤵
PID:7144
- C:\Windows\SysWOW64\Mfiedfmd.exe
  C:\Windows\system32\Mfiedfmd.exe
  2⤵
  PID:7208

C:\Windows\SysWOW64\Mihbpalh.exe
C:\Windows\system32\Mihbpalh.exe
1⤵
PID:7256
- C:\Windows\SysWOW64\Mkfnlmkl.exe
  C:\Windows\system32\Mkfnlmkl.exe
  2⤵
  PID:7296

C:\Windows\SysWOW64\Moajmk32.exe
C:\Windows\system32\Moajmk32.exe
1⤵
PID:7332
- C:\Windows\SysWOW64\Mbpfig32.exe
  C:\Windows\system32\Mbpfig32.exe
  2⤵
  PID:7380
- - C:\Windows\SysWOW64\Meobeb32.exe
    C:\Windows\system32\Meobeb32.exe
    3⤵
    PID:7608
  - - C:\Windows\SysWOW64\Nfgbec32.exe
      C:\Windows\system32\Nfgbec32.exe
      4⤵
      PID:7712
    - - C:\Windows\SysWOW64\Dcbckk32.exe
        
        C:\Windows\system32\Dcbckk32.exe
        5⤵
        
        PID:7852
      - C:\Windows\SysWOW64\Ialhdh32.exe
        
        C:\Windows\system32\Ialhdh32.exe
        6⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Cpedckdl.exe
        
        C:\Windows\system32\Cpedckdl.exe
        7⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Cpljdjnd.exe
        
        C:\Windows\system32\Cpljdjnd.exe
        8⤵
        
        PID:7760

C:\Windows\SysWOW64\Jfffcf32.exe
C:\Windows\system32\Jfffcf32.exe
1⤵
PID:7812
- C:\Windows\SysWOW64\Kigoeagd.exe
  C:\Windows\system32\Kigoeagd.exe
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\Pnmhqh32.exe
    C:\Windows\system32\Pnmhqh32.exe
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\Gbmaog32.exe
      C:\Windows\system32\Gbmaog32.exe
      4⤵
      PID:2228
    - - C:\Windows\SysWOW64\Goabhl32.exe
        
        C:\Windows\system32\Goabhl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
      - C:\Windows\SysWOW64\Ickcaf32.exe
        
        C:\Windows\system32\Ickcaf32.exe
        6⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Jidkek32.exe
        
        C:\Windows\system32\Jidkek32.exe
        7⤵
        
        PID:4300

C:\Windows\SysWOW64\Mllcocna.exe
C:\Windows\system32\Mllcocna.exe
1⤵
PID:7692
- C:\Windows\SysWOW64\Mdckpqod.exe
  C:\Windows\system32\Mdckpqod.exe
  2⤵
  PID:7668
- - C:\Windows\SysWOW64\Mmlphfed.exe
    C:\Windows\system32\Mmlphfed.exe
    3⤵
    PID:428
  - - C:\Windows\SysWOW64\Mpjleadh.exe
      C:\Windows\system32\Mpjleadh.exe
      4⤵
      PID:7656
    - - C:\Windows\SysWOW64\Mchhamcl.exe
        
        C:\Windows\system32\Mchhamcl.exe
        5⤵
        
        PID:6148
      - C:\Windows\SysWOW64\Megdmhbp.exe
        
        C:\Windows\system32\Megdmhbp.exe
        6⤵
        
        PID:7768

C:\Windows\SysWOW64\Mmnlnfcb.exe
C:\Windows\system32\Mmnlnfcb.exe
1⤵
PID:4084
- C:\Windows\SysWOW64\Mplhjabe.exe
  C:\Windows\system32\Mplhjabe.exe
  2⤵
  PID:7808

C:\Windows\SysWOW64\Mckefmai.exe
C:\Windows\system32\Mckefmai.exe
1⤵
PID:6456
- C:\Windows\SysWOW64\Meiabh32.exe
  C:\Windows\system32\Meiabh32.exe
  2⤵
  PID:7828
- - C:\Windows\SysWOW64\Meknhh32.exe
    C:\Windows\system32\Meknhh32.exe
    3⤵
    PID:7908
  - - C:\Windows\SysWOW64\Npabeq32.exe
      C:\Windows\system32\Npabeq32.exe
      4⤵
      PID:6632
    - - C:\Windows\SysWOW64\Nenjng32.exe
        
        C:\Windows\system32\Nenjng32.exe
        5⤵
        
        PID:6704
      - C:\Windows\SysWOW64\Ngmggj32.exe
        
        C:\Windows\system32\Ngmggj32.exe
        6⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Nebdighb.exe
        
        C:\Windows\system32\Nebdighb.exe
        7⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Ngbpbjoe.exe
        
        C:\Windows\system32\Ngbpbjoe.exe
        8⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Nnlhod32.exe
        
        C:\Windows\system32\Nnlhod32.exe
        9⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Oggjni32.exe
        
        C:\Windows\system32\Oggjni32.exe
        10⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Ofijifbj.exe
        
        C:\Windows\system32\Ofijifbj.exe
        11⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Oncopcqj.exe
        
        C:\Windows\system32\Oncopcqj.exe
        12⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Ojjoedfn.exe
        
        C:\Windows\system32\Ojjoedfn.exe
        13⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Ocbdni32.exe
        
        C:\Windows\system32\Ocbdni32.exe
        14⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Pjnipc32.exe
        
        C:\Windows\system32\Pjnipc32.exe
        15⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Pqhammje.exe
        
        C:\Windows\system32\Pqhammje.exe
        16⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Pqknbmhc.exe
        
        C:\Windows\system32\Pqknbmhc.exe
        17⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Pgefogop.exe
        
        C:\Windows\system32\Pgefogop.exe
        18⤵
        
        PID:7128

C:\Windows\SysWOW64\Pjcbkbnc.exe
C:\Windows\system32\Pjcbkbnc.exe
1⤵
PID:5156
- C:\Windows\SysWOW64\Pdifhkni.exe
  C:\Windows\system32\Pdifhkni.exe
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\Pggbdgmm.exe
    C:\Windows\system32\Pggbdgmm.exe
    3⤵
    PID:4380

C:\Windows\SysWOW64\Pmdkmnkd.exe
C:\Windows\system32\Pmdkmnkd.exe
1⤵
PID:6876
- C:\Windows\SysWOW64\Pcncjh32.exe
  C:\Windows\system32\Pcncjh32.exe
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\Pjhlfb32.exe
    C:\Windows\system32\Pjhlfb32.exe
    3⤵
    PID:6764
  - - C:\Windows\SysWOW64\Qgnief32.exe
      C:\Windows\system32\Qgnief32.exe
      4⤵
      PID:6860
    - - C:\Windows\SysWOW64\Qnhabp32.exe
        
        C:\Windows\system32\Qnhabp32.exe
        5⤵
        
        PID:5772
      - C:\Windows\SysWOW64\Ammnclcj.exe
        
        C:\Windows\system32\Ammnclcj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Afhoaahg.exe
        
        C:\Windows\system32\Afhoaahg.exe
        7⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Aancojgn.exe
        
        C:\Windows\system32\Aancojgn.exe
        8⤵
        
        PID:8152

C:\Windows\SysWOW64\Ajfhhp32.exe
C:\Windows\system32\Ajfhhp32.exe
1⤵
PID:4896
- C:\Windows\SysWOW64\Aekleind.exe
  C:\Windows\system32\Aekleind.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:4408
- - C:\Windows\SysWOW64\Afmhma32.exe
    C:\Windows\system32\Afmhma32.exe
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\Andqnn32.exe
      C:\Windows\system32\Andqnn32.exe
      4⤵
      PID:2296

C:\Windows\SysWOW64\Amfqikko.exe
C:\Windows\system32\Amfqikko.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860
- C:\Windows\SysWOW64\Benijhla.exe
  C:\Windows\system32\Benijhla.exe
  2⤵
  PID:3484

C:\Windows\SysWOW64\Bfoebq32.exe
C:\Windows\system32\Bfoebq32.exe
1⤵
PID:3760
- C:\Windows\SysWOW64\Bnfmcn32.exe
  C:\Windows\system32\Bnfmcn32.exe
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\Badipiae.exe
    C:\Windows\system32\Badipiae.exe
    3⤵
    PID:4416
  - - C:\Windows\SysWOW64\Bepeph32.exe
      C:\Windows\system32\Bepeph32.exe
      4⤵
      PID:5204

C:\Windows\SysWOW64\Bnhjinpo.exe
C:\Windows\system32\Bnhjinpo.exe
1⤵
PID:3440
- C:\Windows\SysWOW64\Bagfeioc.exe
  C:\Windows\system32\Bagfeioc.exe
  2⤵
  PID:4900

C:\Windows\SysWOW64\Bebbeh32.exe
C:\Windows\system32\Bebbeh32.exe
1⤵
PID:2904
- C:\Windows\SysWOW64\Bganac32.exe
  C:\Windows\system32\Bganac32.exe
  2⤵
  PID:5992

C:\Windows\SysWOW64\Bjokno32.exe
C:\Windows\system32\Bjokno32.exe
1⤵
PID:5176
- C:\Windows\SysWOW64\Baickimp.exe
  C:\Windows\system32\Baickimp.exe
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\Bchogd32.exe
    C:\Windows\system32\Bchogd32.exe
    3⤵
    PID:6328

C:\Windows\SysWOW64\Bgckgcem.exe
C:\Windows\system32\Bgckgcem.exe
1⤵
PID:5748
- C:\Windows\SysWOW64\Bjagcndq.exe
  C:\Windows\system32\Bjagcndq.exe
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\Bmpcpjcd.exe
    C:\Windows\system32\Bmpcpjcd.exe
    3⤵
    PID:5376

C:\Windows\SysWOW64\Beglqgcf.exe
C:\Windows\system32\Beglqgcf.exe
1⤵
PID:6180
- C:\Windows\SysWOW64\Bcjlld32.exe
  C:\Windows\system32\Bcjlld32.exe
  2⤵
  PID:7236
- - C:\Windows\SysWOW64\Cfmacoep.exe
    C:\Windows\system32\Cfmacoep.exe
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\Cabfagee.exe
      C:\Windows\system32\Cabfagee.exe
      4⤵
      PID:5184
    - - C:\Windows\SysWOW64\Cdabmcdi.exe
        
        C:\Windows\system32\Cdabmcdi.exe
        5⤵
        
        PID:5760
      - C:\Windows\SysWOW64\Bacjmh32.exe
        
        C:\Windows\system32\Bacjmh32.exe
        6⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Bdagidhi.exe
        
        C:\Windows\system32\Bdagidhi.exe
        7⤵
        
        PID:3552

C:\Windows\SysWOW64\Bfabhppm.exe
C:\Windows\system32\Bfabhppm.exe
1⤵
PID:7288

C:\Windows\SysWOW64\Chmnnamb.exe
C:\Windows\system32\Chmnnamb.exe
1⤵
PID:7072
- C:\Windows\SysWOW64\Cjkjjmlf.exe
  C:\Windows\system32\Cjkjjmlf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:5868
- - C:\Windows\SysWOW64\Cnffjl32.exe
    C:\Windows\system32\Cnffjl32.exe
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\Cdcobb32.exe
      C:\Windows\system32\Cdcobb32.exe
      4⤵
      PID:5856

C:\Windows\SysWOW64\Cfakon32.exe
C:\Windows\system32\Cfakon32.exe
1⤵
PID:4724
- C:\Windows\SysWOW64\Cnicpk32.exe
  C:\Windows\system32\Cnicpk32.exe
  2⤵
  PID:2184

C:\Windows\SysWOW64\Cmlckhig.exe
C:\Windows\system32\Cmlckhig.exe
1⤵
PID:6164
- C:\Windows\SysWOW64\Ceckleii.exe
  C:\Windows\system32\Ceckleii.exe
  2⤵
  PID:7284
- - C:\Windows\SysWOW64\Cdfkhb32.exe
    C:\Windows\system32\Cdfkhb32.exe
    3⤵
    PID:4092

C:\Windows\SysWOW64\Cokpekpj.exe
C:\Windows\system32\Cokpekpj.exe
1⤵
PID:7444
- C:\Windows\SysWOW64\Dajlafon.exe
  C:\Windows\system32\Dajlafon.exe
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\Ddhhnana.exe
    C:\Windows\system32\Ddhhnana.exe
    3⤵
    PID:2148

C:\Windows\SysWOW64\Dmpmfg32.exe
C:\Windows\system32\Dmpmfg32.exe
1⤵
PID:1768
- C:\Windows\SysWOW64\Dalhgfmk.exe
  C:\Windows\system32\Dalhgfmk.exe
  2⤵
  PID:3956

C:\Windows\SysWOW64\Ddjecalo.exe
C:\Windows\system32\Ddjecalo.exe
1⤵
PID:4640
- C:\Windows\SysWOW64\Dhfacp32.exe
  C:\Windows\system32\Dhfacp32.exe
  2⤵
  PID:7400
- - C:\Windows\SysWOW64\Dkdmpl32.exe
    C:\Windows\system32\Dkdmpl32.exe
    3⤵
    PID:5720

C:\Windows\SysWOW64\Dmefafql.exe
C:\Windows\system32\Dmefafql.exe
1⤵
PID:3176
- C:\Windows\SysWOW64\Daqbbe32.exe
  C:\Windows\system32\Daqbbe32.exe
  2⤵
  PID:7416
- - C:\Windows\SysWOW64\Dhkjooqb.exe
    C:\Windows\system32\Dhkjooqb.exe
    3⤵
    PID:7800

C:\Windows\SysWOW64\Dkifkkpf.exe
C:\Windows\system32\Dkifkkpf.exe
1⤵
PID:7684
- C:\Windows\SysWOW64\Dodbkiho.exe
  C:\Windows\system32\Dodbkiho.exe
  2⤵
  PID:7528

C:\Windows\SysWOW64\Eknpfj32.exe
C:\Windows\system32\Eknpfj32.exe
1⤵
PID:7848
- C:\Windows\SysWOW64\Eecdcckf.exe
  C:\Windows\system32\Eecdcckf.exe
  2⤵
  PID:6728
- - C:\Windows\SysWOW64\Ehappnjj.exe
    C:\Windows\system32\Ehappnjj.exe
    3⤵
    PID:6800

C:\Windows\SysWOW64\Ekpmljin.exe
C:\Windows\system32\Ekpmljin.exe
1⤵
PID:7956
- C:\Windows\SysWOW64\Eolhlh32.exe
  C:\Windows\system32\Eolhlh32.exe
  2⤵
  PID:5564

C:\Windows\SysWOW64\Eajehd32.exe
C:\Windows\system32\Eajehd32.exe
1⤵
PID:5480
- C:\Windows\SysWOW64\Eeeaibid.exe
  C:\Windows\system32\Eeeaibid.exe
  2⤵
  PID:8028

C:\Windows\SysWOW64\Ehdmenhh.exe
C:\Windows\system32\Ehdmenhh.exe
1⤵
PID:7384
- C:\Windows\SysWOW64\Eggmqk32.exe
  C:\Windows\system32\Eggmqk32.exe
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\Emaemefo.exe
    C:\Windows\system32\Emaemefo.exe
    3⤵
    PID:3648

C:\Windows\SysWOW64\Eehnnb32.exe
C:\Windows\system32\Eehnnb32.exe
1⤵
PID:4840
- C:\Windows\SysWOW64\Edknjonl.exe
  C:\Windows\system32\Edknjonl.exe
  2⤵
  PID:5236

C:\Windows\SysWOW64\Egijfjmp.exe
C:\Windows\system32\Egijfjmp.exe
1⤵
PID:4428
- C:\Windows\SysWOW64\Ekefgi32.exe
  C:\Windows\system32\Ekefgi32.exe
  2⤵
  PID:6928
- - C:\Windows\SysWOW64\Emcbcd32.exe
    C:\Windows\system32\Emcbcd32.exe
    3⤵
    PID:6864
  - - C:\Windows\SysWOW64\Folacfcd.exe
      C:\Windows\system32\Folacfcd.exe
      4⤵
      PID:7008
    - - C:\Windows\SysWOW64\Gnckjbfj.exe
        
        C:\Windows\system32\Gnckjbfj.exe
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\Gnkajapa.exe
        
        C:\Windows\system32\Gnkajapa.exe
        6⤵
        
        PID:864

C:\Windows\SysWOW64\Cjpcel32.exe
C:\Windows\system32\Cjpcel32.exe
1⤵
PID:6156

C:\Windows\SysWOW64\Gafmkp32.exe
C:\Windows\system32\Gafmkp32.exe
1⤵
PID:4404
- C:\Windows\SysWOW64\Gddigk32.exe
  C:\Windows\system32\Gddigk32.exe
  2⤵
  PID:4076

C:\Windows\SysWOW64\Ghpehjph.exe
C:\Windows\system32\Ghpehjph.exe
1⤵
PID:7188
- C:\Windows\SysWOW64\Hojndd32.exe
  C:\Windows\system32\Hojndd32.exe
  2⤵
  PID:5356

C:\Windows\SysWOW64\Hbhjqp32.exe
C:\Windows\system32\Hbhjqp32.exe
1⤵
PID:6644
- C:\Windows\SysWOW64\Hdgfmk32.exe
  C:\Windows\system32\Hdgfmk32.exe
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\Hgebif32.exe
    C:\Windows\system32\Hgebif32.exe
    3⤵
    PID:2740

C:\Windows\SysWOW64\Hkaoiemi.exe
C:\Windows\system32\Hkaoiemi.exe
1⤵
PID:5552
- C:\Windows\SysWOW64\Hnokeqll.exe
  C:\Windows\system32\Hnokeqll.exe
  2⤵
  PID:5600

C:\Windows\SysWOW64\Hbkgfode.exe
C:\Windows\system32\Hbkgfode.exe
1⤵
PID:7048
- C:\Windows\SysWOW64\Hdicbkci.exe
  C:\Windows\system32\Hdicbkci.exe
  2⤵
  PID:6772

C:\Windows\SysWOW64\Hggonfbm.exe
C:\Windows\system32\Hggonfbm.exe
1⤵
PID:5128
- C:\Windows\SysWOW64\Hoogpcco.exe
  C:\Windows\system32\Hoogpcco.exe
  2⤵
  PID:5976

C:\Windows\SysWOW64\Hbmclobc.exe
C:\Windows\system32\Hbmclobc.exe
1⤵
PID:6064
- C:\Windows\SysWOW64\Hdlphjaf.exe
  C:\Windows\system32\Hdlphjaf.exe
  2⤵
  PID:6932

C:\Windows\SysWOW64\Hhglhi32.exe
C:\Windows\system32\Hhglhi32.exe
1⤵
PID:5556
- C:\Windows\SysWOW64\Hkehdd32.exe
  C:\Windows\system32\Hkehdd32.exe
  2⤵
  PID:7340
- - C:\Windows\SysWOW64\Hoadecal.exe
    C:\Windows\system32\Hoadecal.exe
    3⤵
    PID:6784

C:\Windows\SysWOW64\Hbppaopp.exe
C:\Windows\system32\Hbppaopp.exe
1⤵
PID:2460
- C:\Windows\SysWOW64\Hdnlmj32.exe
  C:\Windows\system32\Hdnlmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:4164
- - C:\Windows\SysWOW64\Hocqkc32.exe
    C:\Windows\system32\Hocqkc32.exe
    3⤵
    PID:5428
  - - C:\Windows\SysWOW64\Hnfafpfd.exe
      C:\Windows\system32\Hnfafpfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies registry class
      PID:4036

C:\Windows\SysWOW64\Igoeoe32.exe
C:\Windows\system32\Igoeoe32.exe
1⤵
PID:1900
- C:\Windows\SysWOW64\Iofmpb32.exe
  C:\Windows\system32\Iofmpb32.exe
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\Ibdiln32.exe
    C:\Windows\system32\Ibdiln32.exe
    3⤵
    PID:7180
  - - C:\Windows\SysWOW64\Igabdekb.exe
      C:\Windows\system32\Igabdekb.exe
      4⤵
      PID:3636
    - - C:\Windows\SysWOW64\Ikmnec32.exe
        
        C:\Windows\system32\Ikmnec32.exe
        5⤵
        
        PID:4740
      - C:\Windows\SysWOW64\Ibffbnjh.exe
        
        C:\Windows\system32\Ibffbnjh.exe
        6⤵
        
        PID:6280

C:\Windows\SysWOW64\Iiqooh32.exe
C:\Windows\system32\Iiqooh32.exe
1⤵
PID:2996
- C:\Windows\SysWOW64\Igcojdhp.exe
  C:\Windows\system32\Igcojdhp.exe
  2⤵
  PID:6768

C:\Windows\SysWOW64\Iojgkbib.exe
C:\Windows\system32\Iojgkbib.exe
1⤵
PID:6128
- C:\Windows\SysWOW64\Ibicgmhe.exe
  C:\Windows\system32\Ibicgmhe.exe
  2⤵
  PID:4248

C:\Windows\SysWOW64\Ifbbbl32.exe
C:\Windows\system32\Ifbbbl32.exe
1⤵
PID:6396

C:\Windows\SysWOW64\Iomcqa32.exe
C:\Windows\system32\Iomcqa32.exe
1⤵
PID:1556
- C:\Windows\SysWOW64\Ifglmlol.exe
  C:\Windows\system32\Ifglmlol.exe
  2⤵
  PID:5456

C:\Windows\SysWOW64\Ighhed32.exe
C:\Windows\system32\Ighhed32.exe
1⤵
PID:7012
- C:\Windows\SysWOW64\Ikcdfbmc.exe
  C:\Windows\system32\Ikcdfbmc.exe
  2⤵
  PID:3156

C:\Windows\SysWOW64\Inbpbnlg.exe
C:\Windows\system32\Inbpbnlg.exe
1⤵
PID:6212
- C:\Windows\SysWOW64\Ifihckmi.exe
  C:\Windows\system32\Ifihckmi.exe
  2⤵
  PID:5896

C:\Windows\SysWOW64\Jelioh32.exe
C:\Windows\system32\Jelioh32.exe
1⤵
PID:3172
- C:\Windows\SysWOW64\Jgjekc32.exe
  C:\Windows\system32\Jgjekc32.exe
  2⤵
  PID:6312

C:\Windows\SysWOW64\Joamlacj.exe
C:\Windows\system32\Joamlacj.exe
1⤵
PID:4512
- C:\Windows\SysWOW64\Jbpihlbn.exe
  C:\Windows\system32\Jbpihlbn.exe
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\Jenedhaa.exe
    C:\Windows\system32\Jenedhaa.exe
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\Jodiaqag.exe
      C:\Windows\system32\Jodiaqag.exe
      4⤵
      PID:4860

C:\Windows\SysWOW64\Jngjmm32.exe
C:\Windows\system32\Jngjmm32.exe
1⤵
PID:2588
- C:\Windows\SysWOW64\Jfnbnk32.exe
  C:\Windows\system32\Jfnbnk32.exe
  2⤵
  PID:6300

C:\Windows\SysWOW64\Jilnjf32.exe
C:\Windows\system32\Jilnjf32.exe
1⤵
PID:6124
- C:\Windows\SysWOW64\Jgonfcnb.exe
  C:\Windows\system32\Jgonfcnb.exe
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\Jpffgp32.exe
    C:\Windows\system32\Jpffgp32.exe
    3⤵
    PID:7080

C:\Windows\SysWOW64\Jbdbcl32.exe
C:\Windows\system32\Jbdbcl32.exe
1⤵
PID:6512
- C:\Windows\SysWOW64\Jecoog32.exe
  C:\Windows\system32\Jecoog32.exe
  2⤵
  - Modifies registry class
  PID:3220
- - C:\Windows\SysWOW64\Jiokpfee.exe
    C:\Windows\system32\Jiokpfee.exe
    3⤵
    PID:6252

C:\Windows\SysWOW64\Jkmgladi.exe
C:\Windows\system32\Jkmgladi.exe
1⤵
PID:4560
- C:\Windows\SysWOW64\Jphcmp32.exe
  C:\Windows\system32\Jphcmp32.exe
  2⤵
  PID:7344

C:\Windows\SysWOW64\Jbgoik32.exe
C:\Windows\system32\Jbgoik32.exe
1⤵
PID:2868
- C:\Windows\SysWOW64\Jeekeg32.exe
  C:\Windows\system32\Jeekeg32.exe
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\Jgdhab32.exe
    C:\Windows\system32\Jgdhab32.exe
    3⤵
    PID:1068

C:\Windows\SysWOW64\Jlocaabf.exe
C:\Windows\system32\Jlocaabf.exe
1⤵
PID:2316
- C:\Windows\SysWOW64\Jnnpnl32.exe
  C:\Windows\system32\Jnnpnl32.exe
  2⤵
  PID:4904

C:\Windows\SysWOW64\Kfehoj32.exe
C:\Windows\system32\Kfehoj32.exe
1⤵
PID:3504
- C:\Windows\SysWOW64\Kicdke32.exe
  C:\Windows\system32\Kicdke32.exe
  2⤵
  PID:400
- - C:\Windows\SysWOW64\Kpmlhoil.exe
    C:\Windows\system32\Kpmlhoil.exe
    3⤵
    PID:6844

C:\Windows\SysWOW64\Kblidkhp.exe
C:\Windows\system32\Kblidkhp.exe
1⤵
PID:7832
- C:\Windows\SysWOW64\Kejepfgd.exe
  C:\Windows\system32\Kejepfgd.exe
  2⤵
  PID:7912
- - C:\Windows\SysWOW64\Khhalafg.exe
    C:\Windows\system32\Khhalafg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6012
  - - C:\Windows\SysWOW64\Kbneij32.exe
      C:\Windows\system32\Kbneij32.exe
      4⤵
      PID:7332
    - - C:\Windows\SysWOW64\Kelaef32.exe
        
        C:\Windows\system32\Kelaef32.exe
        5⤵
        
        PID:8040
      - C:\Windows\SysWOW64\Khknaa32.exe
        
        C:\Windows\system32\Khknaa32.exe
        6⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Knefnkla.exe
        
        C:\Windows\system32\Knefnkla.exe
        7⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Kflnpild.exe
        
        C:\Windows\system32\Kflnpild.exe
        8⤵
        
        PID:5216

C:\Windows\SysWOW64\Kijjldkh.exe
C:\Windows\system32\Kijjldkh.exe
1⤵
PID:5932
- C:\Windows\SysWOW64\Klifhpjk.exe
  C:\Windows\system32\Klifhpjk.exe
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\Kngcdkjo.exe
    C:\Windows\system32\Kngcdkjo.exe
    3⤵
    PID:3008

C:\Windows\SysWOW64\Kbbodj32.exe
C:\Windows\system32\Kbbodj32.exe
1⤵
PID:6856
- C:\Windows\SysWOW64\Keakqeal.exe
  C:\Windows\system32\Keakqeal.exe
  2⤵
  PID:4864

C:\Windows\SysWOW64\Khpgmqpp.exe
C:\Windows\system32\Khpgmqpp.exe
1⤵
PID:6852
- C:\Windows\SysWOW64\Kpfonnab.exe
  C:\Windows\system32\Kpfonnab.exe
  2⤵
  PID:4980

C:\Windows\SysWOW64\Lbekjipe.exe
C:\Windows\system32\Lbekjipe.exe
1⤵
PID:5644
- C:\Windows\SysWOW64\Lfqgjh32.exe
  C:\Windows\system32\Lfqgjh32.exe
  2⤵
  PID:6724

C:\Windows\SysWOW64\Liocgc32.exe
C:\Windows\system32\Liocgc32.exe
1⤵
PID:3488
- C:\Windows\SysWOW64\Lnlloj32.exe
  C:\Windows\system32\Lnlloj32.exe
  2⤵
  PID:2400

C:\Windows\SysWOW64\Lfcdph32.exe
C:\Windows\system32\Lfcdph32.exe
1⤵
PID:6192
- C:\Windows\SysWOW64\Liaqlcep.exe
  C:\Windows\system32\Liaqlcep.exe
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\Lhdqhp32.exe
    C:\Windows\system32\Lhdqhp32.exe
    3⤵
    PID:6384
  - - C:\Windows\SysWOW64\Lnnidjcg.exe
      C:\Windows\system32\Lnnidjcg.exe
      4⤵
      PID:1472

C:\Windows\SysWOW64\Lfeaegdi.exe
C:\Windows\system32\Lfeaegdi.exe
1⤵
PID:7172
- C:\Windows\SysWOW64\Lhfmmp32.exe
  C:\Windows\system32\Lhfmmp32.exe
  2⤵
  PID:7988
- - C:\Windows\SysWOW64\Lpneom32.exe
    C:\Windows\system32\Lpneom32.exe
    3⤵
    PID:6964

C:\Windows\SysWOW64\Lifjgb32.exe
C:\Windows\system32\Lifjgb32.exe
1⤵
PID:5692
- C:\Windows\SysWOW64\Lldfcn32.exe
  C:\Windows\system32\Lldfcn32.exe
  2⤵
  PID:5264

C:\Windows\SysWOW64\Meogbcel.exe
C:\Windows\system32\Meogbcel.exe
1⤵
PID:4376
- C:\Windows\SysWOW64\Mhncnodp.exe
  C:\Windows\system32\Mhncnodp.exe
  2⤵
  PID:7296
- - C:\Windows\SysWOW64\Mpdkol32.exe
    C:\Windows\system32\Mpdkol32.exe
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\Mbchkg32.exe
      C:\Windows\system32\Mbchkg32.exe
      4⤵
      PID:7712
    - - C:\Windows\SysWOW64\Mhppcn32.exe
        
        C:\Windows\system32\Mhppcn32.exe
        5⤵
        
        PID:4652

C:\Windows\SysWOW64\Mlnijmhc.exe
C:\Windows\system32\Mlnijmhc.exe
1⤵
PID:7936
- C:\Windows\SysWOW64\Molefh32.exe
  C:\Windows\system32\Molefh32.exe
  2⤵
  PID:7664
- - C:\Windows\SysWOW64\Mfcmge32.exe
    C:\Windows\system32\Mfcmge32.exe
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\Miaica32.exe
      C:\Windows\system32\Miaica32.exe
      4⤵
      PID:5768
    - - C:\Windows\SysWOW64\Mlpeol32.exe
        
        C:\Windows\system32\Mlpeol32.exe
        5⤵
        
        PID:1608

C:\Windows\SysWOW64\Moobkh32.exe
C:\Windows\system32\Moobkh32.exe
1⤵
PID:6872
- C:\Windows\SysWOW64\Mfejme32.exe
  C:\Windows\system32\Mfejme32.exe
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\Mehjhbma.exe
    C:\Windows\system32\Mehjhbma.exe
    3⤵
    PID:2940

C:\Windows\SysWOW64\Mlbbel32.exe
C:\Windows\system32\Mlbbel32.exe
1⤵
PID:7628
- C:\Windows\SysWOW64\Mpnnek32.exe
  C:\Windows\system32\Mpnnek32.exe
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\Nbljaf32.exe
    C:\Windows\system32\Nbljaf32.exe
    3⤵
    PID:956

C:\Windows\SysWOW64\Nekgna32.exe
C:\Windows\system32\Nekgna32.exe
1⤵
PID:1496
- C:\Windows\SysWOW64\Nleojlbk.exe
  C:\Windows\system32\Nleojlbk.exe
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\Nboggf32.exe
    C:\Windows\system32\Nboggf32.exe
    3⤵
    PID:3196
  - - C:\Windows\SysWOW64\Niipdpae.exe
      C:\Windows\system32\Niipdpae.exe
      4⤵
      PID:8204
    - - C:\Windows\SysWOW64\Nlglpkpi.exe
        
        C:\Windows\system32\Nlglpkpi.exe
        5⤵
        
        PID:8244

C:\Windows\SysWOW64\Noehlgol.exe
C:\Windows\system32\Noehlgol.exe
1⤵
PID:8292
- C:\Windows\SysWOW64\Nbadmege.exe
  C:\Windows\system32\Nbadmege.exe
  2⤵
  PID:8336
- - C:\Windows\SysWOW64\Neppiagi.exe
    C:\Windows\system32\Neppiagi.exe
    3⤵
    PID:8380

C:\Windows\SysWOW64\Nhnlelfm.exe
C:\Windows\system32\Nhnlelfm.exe
1⤵
PID:8420
- C:\Windows\SysWOW64\Npedfjfo.exe
  C:\Windows\system32\Npedfjfo.exe
  2⤵
  PID:8464
- - C:\Windows\SysWOW64\Nccqbeec.exe
    C:\Windows\system32\Nccqbeec.exe
    3⤵
    PID:8508
  - - C:\Windows\SysWOW64\Nebmnqdf.exe
      C:\Windows\system32\Nebmnqdf.exe
      4⤵
      PID:8548

C:\Windows\SysWOW64\Nllekk32.exe
C:\Windows\system32\Nllekk32.exe
1⤵
PID:8588
- C:\Windows\SysWOW64\Nojagf32.exe
  C:\Windows\system32\Nojagf32.exe
  2⤵
  PID:8628
- - C:\Windows\SysWOW64\Ngaihcli.exe
    C:\Windows\system32\Ngaihcli.exe
    3⤵
    PID:8668

C:\Windows\SysWOW64\Nedjdp32.exe
C:\Windows\system32\Nedjdp32.exe
1⤵
PID:8712
- C:\Windows\SysWOW64\Nhbfpl32.exe
  C:\Windows\system32\Nhbfpl32.exe
  2⤵
  PID:8756

C:\Windows\SysWOW64\Nlnbqjjq.exe
C:\Windows\system32\Nlnbqjjq.exe
1⤵
PID:8796
- C:\Windows\SysWOW64\Ogcfncjf.exe
  C:\Windows\system32\Ogcfncjf.exe
  2⤵
  PID:8844

C:\Windows\SysWOW64\Oplkgi32.exe
C:\Windows\system32\Oplkgi32.exe
1⤵
PID:8880
- C:\Windows\SysWOW64\Ocjgcd32.exe
  C:\Windows\system32\Ocjgcd32.exe
  2⤵
  PID:8924
- - C:\Windows\SysWOW64\Oeicopoo.exe
    C:\Windows\system32\Oeicopoo.exe
    3⤵
    PID:8968
  - - C:\Windows\SysWOW64\Oidopn32.exe
      C:\Windows\system32\Oidopn32.exe
      4⤵
      PID:9008
    - - C:\Windows\SysWOW64\Opnglhnd.exe
        
        C:\Windows\system32\Opnglhnd.exe
        5⤵
        
        PID:9072

C:\Windows\SysWOW64\Fpcdji32.exe
C:\Windows\system32\Fpcdji32.exe
1⤵
PID:9164
- C:\Windows\SysWOW64\Fhjlkg32.exe
  C:\Windows\system32\Fhjlkg32.exe
  2⤵
  PID:9204

C:\Windows\SysWOW64\Ffmmgceo.exe
C:\Windows\system32\Ffmmgceo.exe
1⤵
PID:8228
- C:\Windows\SysWOW64\Filicodb.exe
  C:\Windows\system32\Filicodb.exe
  2⤵
  PID:8316
- - C:\Windows\SysWOW64\Fmgecn32.exe
    C:\Windows\system32\Fmgecn32.exe
    3⤵
    PID:8388
  - - C:\Windows\SysWOW64\Fgbfbc32.exe
      C:\Windows\system32\Fgbfbc32.exe
      4⤵
      PID:8460

C:\Windows\SysWOW64\Fapdomgg.exe
C:\Windows\system32\Fapdomgg.exe
1⤵
PID:9120

C:\Windows\SysWOW64\Fkmbbajb.exe
C:\Windows\system32\Fkmbbajb.exe
1⤵
PID:8516
- C:\Windows\SysWOW64\Fmlnomif.exe
  C:\Windows\system32\Fmlnomif.exe
  2⤵
  PID:8596

C:\Windows\SysWOW64\Fpjjkh32.exe
C:\Windows\system32\Fpjjkh32.exe
1⤵
PID:8640
- C:\Windows\SysWOW64\Fdffkgpc.exe
  C:\Windows\system32\Fdffkgpc.exe
  2⤵
  PID:8728

C:\Windows\SysWOW64\Fgdbgbof.exe
C:\Windows\system32\Fgdbgbof.exe
1⤵
PID:8804
- C:\Windows\SysWOW64\Fkpoha32.exe
  C:\Windows\system32\Fkpoha32.exe
  2⤵
  PID:8868

C:\Windows\SysWOW64\Fmnkdm32.exe
C:\Windows\system32\Fmnkdm32.exe
1⤵
PID:8936
- C:\Windows\SysWOW64\Fajgekol.exe
  C:\Windows\system32\Fajgekol.exe
  2⤵
  PID:9000

C:\Windows\SysWOW64\Gdhcagnp.exe
C:\Windows\system32\Gdhcagnp.exe
1⤵
PID:5652
- C:\Windows\SysWOW64\Ghdoae32.exe
  C:\Windows\system32\Ghdoae32.exe
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\Gkbkna32.exe
    C:\Windows\system32\Gkbkna32.exe
    3⤵
    PID:8236
  - - C:\Windows\SysWOW64\Okjnhpee.exe
      C:\Windows\system32\Okjnhpee.exe
      4⤵
      PID:8496
    - - C:\Windows\SysWOW64\Innfgb32.exe
        
        C:\Windows\system32\Innfgb32.exe
        5⤵
        
        PID:8768
      - C:\Windows\SysWOW64\Maggggaf.exe
        
        C:\Windows\system32\Maggggaf.exe
        6⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Pddhlnfg.exe
        
        C:\Windows\system32\Pddhlnfg.exe
        7⤵
        
        PID:9160

C:\Windows\SysWOW64\Phodlm32.exe
C:\Windows\system32\Phodlm32.exe
1⤵
PID:8224
- C:\Windows\SysWOW64\Poimigfm.exe
  C:\Windows\system32\Poimigfm.exe
  2⤵
  PID:8528

C:\Windows\SysWOW64\Cofnba32.exe
C:\Windows\system32\Cofnba32.exe
1⤵
PID:8792
- C:\Windows\SysWOW64\Dbdjol32.exe
  C:\Windows\system32\Dbdjol32.exe
  2⤵
  PID:8700

C:\Windows\SysWOW64\Ddbfkh32.exe
C:\Windows\system32\Ddbfkh32.exe
1⤵
PID:9044
- C:\Windows\SysWOW64\Dhnbkfek.exe
  C:\Windows\system32\Dhnbkfek.exe
  2⤵
  PID:6788
- - C:\Windows\SysWOW64\Hlnjlkjf.exe
    C:\Windows\system32\Hlnjlkjf.exe
    3⤵
    PID:5948
  - - C:\Windows\SysWOW64\Mggecl32.exe
      C:\Windows\system32\Mggecl32.exe
      4⤵
      PID:5640

C:\Windows\SysWOW64\Bdpanj32.exe
C:\Windows\system32\Bdpanj32.exe
1⤵
PID:8568

C:\Windows\SysWOW64\Npepdl32.exe
C:\Windows\system32\Npepdl32.exe
1⤵
PID:3232
- C:\Windows\SysWOW64\Apjkmgjm.exe
  C:\Windows\system32\Apjkmgjm.exe
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\Bhfmic32.exe
    C:\Windows\system32\Bhfmic32.exe
    3⤵
    PID:9032
  - - C:\Windows\SysWOW64\Bmceaj32.exe
      C:\Windows\system32\Bmceaj32.exe
      4⤵
      PID:6524
    - - C:\Windows\SysWOW64\Bdmmnd32.exe
        
        C:\Windows\system32\Bdmmnd32.exe
        5⤵
        
        PID:3252

C:\Windows\SysWOW64\Bobalm32.exe
C:\Windows\system32\Bobalm32.exe
1⤵
PID:7856
- C:\Windows\SysWOW64\Baanhi32.exe
  C:\Windows\system32\Baanhi32.exe
  2⤵
  PID:7824

C:\Windows\SysWOW64\Bhkfdcbd.exe
C:\Windows\system32\Bhkfdcbd.exe
1⤵
PID:5184
- C:\Windows\SysWOW64\Bgnfpp32.exe
  C:\Windows\system32\Bgnfpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:3104
- - C:\Windows\SysWOW64\Bngnmjql.exe
    C:\Windows\system32\Bngnmjql.exe
    3⤵
    PID:5760

C:\Windows\SysWOW64\Bhmbjb32.exe
C:\Windows\system32\Bhmbjb32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:4412
- C:\Windows\SysWOW64\Bkkofn32.exe
  C:\Windows\system32\Bkkofn32.exe
  2⤵
  PID:2412

C:\Windows\SysWOW64\Bogkgmho.exe
C:\Windows\system32\Bogkgmho.exe
1⤵
PID:7184
- C:\Windows\SysWOW64\Baegchgb.exe
  C:\Windows\system32\Baegchgb.exe
  2⤵
  PID:4004

C:\Windows\SysWOW64\Coigllel.exe
C:\Windows\system32\Coigllel.exe
1⤵
PID:8060
- C:\Windows\SysWOW64\Cnlhhi32.exe
  C:\Windows\system32\Cnlhhi32.exe
  2⤵
  PID:6672

C:\Windows\SysWOW64\Cpkddd32.exe
C:\Windows\system32\Cpkddd32.exe
1⤵
PID:5568
- C:\Windows\SysWOW64\Cdfpdc32.exe
  C:\Windows\system32\Cdfpdc32.exe
  2⤵
  PID:8864
- - C:\Windows\SysWOW64\Cgdlqo32.exe
    C:\Windows\system32\Cgdlqo32.exe
    3⤵
    PID:7864

C:\Windows\SysWOW64\Cpmajdig.exe
C:\Windows\system32\Cpmajdig.exe
1⤵
PID:5132
- C:\Windows\SysWOW64\Chdikajj.exe
  C:\Windows\system32\Chdikajj.exe
  2⤵
  PID:8364
- - C:\Windows\SysWOW64\Cggifn32.exe
    C:\Windows\system32\Cggifn32.exe
    3⤵
    PID:8456
  - - C:\Windows\SysWOW64\Ckbegmin.exe
      C:\Windows\system32\Ckbegmin.exe
      4⤵
      PID:3644

C:\Windows\SysWOW64\Bpcnceab.exe
C:\Windows\system32\Bpcnceab.exe
1⤵
PID:7376

C:\Windows\SysWOW64\Ipihiaqa.exe
C:\Windows\system32\Ipihiaqa.exe
1⤵
PID:6044
- C:\Windows\SysWOW64\Jbgdelpe.exe
  C:\Windows\system32\Jbgdelpe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhma32.exe

Filesize
88KB

MD5
ff056c1c8af4f6638b304a519e5c5545

SHA1
180710f2e390a0ca31b6d258940df41414feb104

SHA256
04f000c59d348366209bc18ac0d0c7fa3bfabcdd18312664d1068f6b35df7581

SHA512
3d09a29279a40a4ed4394773fa78b2f1dfd46aeb67e5eb966a1a16127523272fef1cd8533314b48b7a5a1ae29537f82260303e21bd834bea732513f54db842a2

Download Submit
C:\Windows\SysWOW64\Ajfhhp32.exe

Filesize
88KB

MD5
16ef3f12a98e5f8fed681e8157d330e4

SHA1
48f7df445fac7af34efec9ac3f2300d1a2e01a20

SHA256
79ce1f6bf4662e989a449ad802d804826ec2a5fd4254815da7a8460e687ee421

SHA512
0caddb9cb6b8d228fb3a6273b3f4643ca30b12382fc0659d116d059e1e7a38f9e37cc89806628c6f6e0d8558c71f78c8ffa36127be85bcb04aa6fd31ba524bcd

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
88KB

MD5
b98c2635f0c05a9109dbdf672b962c6c

SHA1
b0c15274ba58a2eee4ff5d3005b2928b284bc7c0

SHA256
aed20257381e553a93246d7f4a90e775c9115095356a0935276de69e3735d14f

SHA512
c61a9595aae1ae3eaf6fe4a3b4ab97b80d1d2a470dadd320ebea904acade3941aabcd789026535773a63b5a8cc12f655accb7b655f5437071e648bb0f5aa39f5

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
88KB

MD5
329055e395073a22861e69bfb9274581

SHA1
3e35dce44e6511c6c9c79c99704737cf85218cff

SHA256
cb1f611ad8e0570f64ab89b7914b664ac6e7779cce4bade8bc139420956c38a5

SHA512
5ef6eb33ee62c16071fe77ecae93fa5697bd9bf011ebfb5dc3b458f99e1c3228f605ec8f33c73571544084234e8d54b8e4edf4d08b5dd77aca91ec132eead60d

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
88KB

MD5
f6731d5a6a5db4ab50a35c71812d19bd

SHA1
d188d71b3853018fa589b4a738cdbd99df06d9a1

SHA256
09fdb11d8e91e2d881d7dba0f3ac6ce7f01fe445e2d73a9e90d21c487988ff97

SHA512
81f24c75068835841acd5e210f196fb5de73b25d83d1e9e3a6713095a7a552efec7eba4f46ca62ac84c6c0520863acd56be35cc644cef55bdced909b90f38958

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
67KB

MD5
f0f674e6b4b3f483a42383ce3acc96ba

SHA1
deb229efabf57c161e18c4a9d715894a0a032dfd

SHA256
2e13b2495fbe9f805c75ec6fef5ed2e23eee4838837586b02408db82b381ccc8

SHA512
a28e657fdbf991236643eaddac314b664bac02357f03289e5b58a98d030286ea538db80cada2a7103d529be0c2d7e8de57e7a1cb4157f00ea892b3ee221b3b99

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
46KB

MD5
7a77b302fad48d0fd1b511ea8a065103

SHA1
8b9504f565a537604ccba9381c2ab0287a3003c8

SHA256
c09b6665c940f6725a65107d5f70d35e91309f42357ac3f12d743ea2e2552873

SHA512
6fb20c935e5298aad0041e1989705724bb28b98ec79dafbe3c7a339c6c26a2bb1ab8b28ba4a85278dec1d3e39c2575d4182f97ea726aae0f6468db1d7b9faaab

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
88KB

MD5
13d522fde674200747e47d8eaafbf5a4

SHA1
1c964fc23755d7d85d1e754cfec4fc8bead9cc44

SHA256
c213bdb3807f26607f5f9ca8c527deb241cf11845bb48adf5d1c12ba2d0fe264

SHA512
920b055e0fc8ec910e6393330830945eff41239b9f29c9f12a8103c9cb71856b2d3517c842405d407e409da9e4f7f913d0c5c66ceb2980114d37262e831b9ec8

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
88KB

MD5
d5b5c75bbb555345d63a2ebee3f7cf4c

SHA1
7de24d8830ca8a3e70f10794b27ec9612e0988fe

SHA256
ac0e3ffe6c08e2aade4f9dbe86554048f8460094a221431e15c34d94a2051d46

SHA512
b601bb3e4cf100d2e6cc4379a7e9a9cbe85da5a70b265ea56d1c38555f69b51d647a3968e350ebab7b71763b649a9bb13a7d8fb76d6b50a43ace9830ec8a9ac0

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
88KB

MD5
03a414b3ff5482f0b805db8a59618a70

SHA1
dcacacab46803517b39c9bb42e52b452a28d59c5

SHA256
e7d8e7331bdfb20fff2c39d182afc7fa17dcefb973666e011a99e009551f596d

SHA512
493b0a3cfa27c03977060af8a95e8f753b9239952308984c75f09f4f12addb1ddb6c77b335604a054b8bbcfcbf9f32f5bc72e88e7c1fe11baf26c4ed978eb2e6

Download Submit
C:\Windows\SysWOW64\Dqnjgl32.exe

Filesize
88KB

MD5
a95328a2f9f2e43fe5e766844e4ece1b

SHA1
0844f7c3d03571e4d04c7ebc36342e16115afa57

SHA256
485887e1f5a3088bcc27aff9ce92d4703b6fb9e5014993ed8c7962a3f0875a94

SHA512
0e7d4935c3a1bdcb79ca6c0c41572f39aa36371c2231b744c1987a5ec11971d2162ac0b223d2e3d0d207b3e32f7e4ae307074c3644a42db5ddb0f2e858d02014

Download Submit
C:\Windows\SysWOW64\Edeeci32.exe

Filesize
34KB

MD5
1b51521f3eb816bbc597c4e6ae3bea68

SHA1
8658d6399b848ff663a2a4731a6d32af78c2a6e1

SHA256
cd2aa4b347d15fdb64b600293eaa127665a036842510fea903b314f67650e1a6

SHA512
f629d772685387fbcb40de780d8e2ecd602995c9c83de82b592b5ddd7adbfd4d7c448ff2f31d6d071274e7ffd234f3871a6ec1c95edc5df39c2c31c14ad8984b

Download Submit
C:\Windows\SysWOW64\Egaejeej.exe

Filesize
33KB

MD5
286628dbfacb8ea27b64950af3b14fd9

SHA1
a99b0feb6bd66c8480c9837803b319c3f8389993

SHA256
b1ba822e2bdbe8cbaef7ede333eb57a393976db6bb2bf3ac83941b3c54f8067f

SHA512
5548b459eb169aad905e9616c8770808c296e8461f0e46a0786308749c73dd21611837620b00dbcd57bfe955dfa79208cfef568b86e040a49592f73d4ca73cfd

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
52KB

MD5
0a3859f9c691450db48c7db8017af2b5

SHA1
b883c7fdaf1437e4f9dcd6e0fee67b6671b8416a

SHA256
c0417af0f88ec064f36db990b4d23432d11bb722c591068bf9e78259f56646a6

SHA512
0f1f3985ac57e22a41048cf270a19319239b1243ba8b9cf99f54a9d905e9002d544c8cd2b578796900ff59f3957909cd17ffc33071be92af8563f92d30066492

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
88KB

MD5
0595079f64e494cc52e402312e0e989e

SHA1
2008d9668ba24d7cf7bdb9eb8092c07e9506edde

SHA256
b78ec2871a58b8f99c851e9231428fc0749f3e3fb2e8c800e33f074cbc21a4b6

SHA512
3eff80b94c50d214be9d8ea7321774a4222d886c6c0d2716cfb9f0584f14e69bcb04c2242e8be7a8855a244b01db19f0d94f127302ab1374132630a94c055e48

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
47KB

MD5
090d62ad44cb3ba18c3249acdd0e6a81

SHA1
c0daf8183a7179d6cd0233b56f9517d5f41b368d

SHA256
c6bef27ee44c9d6c2b3c5c2872a17860c844997607f493024aa409ec8e1970e5

SHA512
6354df5566ad367c7d9a3ff9d4736abc62471f836cd3bdf20c51351ee4e10863fca5609239cecd1135574f480a7d93fc4f666c377f330f93a80633745cecac65

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
88KB

MD5
43f3db330cb8ac2144eece3f219ff288

SHA1
a15c5887d992f56647e2c8181b87fe1f329fa5e8

SHA256
b357aa138b7b7a5352cac47bbea5b9781c9548a161e41753e472a951500709b6

SHA512
fa9239015f0fd86fe9d0f6fc45030cf8b7b3f3af3e6a3e5cd897d781c11787e10cbd5976b1d4509b99c44660adfd077ba8ae7cc5cc9639aa600e56fd4e7fbe0d

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
17KB

MD5
44674482c40f178fc4374a15a4de187a

SHA1
1c90a49443e5da217733148b2a195fb666b3c50a

SHA256
5705537f5b74b67b3fdf5642a49df67f0477b4fa604bca4d99ca6479aff6e4e6

SHA512
63ce40618ff77459eced052d45eb224556015e8b51935eb4e406d82a76af016950e60d4bc42cd2b068524a5fca81b049b76c7fe964f5f6d6b3e3193505d58ae7

Download Submit
C:\Windows\SysWOW64\Fbmohmoh.exe

Filesize
8KB

MD5
a1b83d7bf459c007db6a01d813202b72

SHA1
49a15c0311c58c2fb1dc86cd87e48741c5f9199f

SHA256
86d1968ad5a377804bd483253b75fb222dd2e98f3af3d72ddfd7ae76afbf2d2d

SHA512
6f6a30121c3e794e608b058e2125fa37f2e901b7ef464519f394f775737484d50f76cda1f4c2e7a6c53aa62b443d5339b931bc0e8ee202e6d5795f4efdf1086d

Download Submit
C:\Windows\SysWOW64\Mllcocna.exe

Filesize
88KB

MD5
abc9cde773cc34343221a621bb1d0201

SHA1
deff8b16c332eda9944e1c24d621234532c13890

SHA256
da630e4a6b3b13d37c2bc63b8663338ef71130796631e04a476dd4d202ea33d1

SHA512
b4c1603fa3b0840cb6415d812fab6912f1a436dc4908775f15797a6fc5fcf86115314f37828e8bef2b110a6119672f7ffa2fe7d5b38280dc4205d8afb89e8077

Download Submit
C:\Windows\SysWOW64\Ngbpbjoe.exe

Filesize
88KB

MD5
f217a44599df5c6b0bf26a80eaf428db

SHA1
87dbafd5f83192aed0df9aca45a1ea488610d3e1

SHA256
ace4e0fd235c5e6cd95eb525106b87b56f1b31c47e897d57479ee827ac9f70c7

SHA512
7d137aefb11c993cc576af678295c72b0cc2df644b0a58d3aea99c29f5bd35f2748f75753d73bab8bfa4903ff75326959aaedae9f1037e171898149bfe777ec8

Download Submit
C:\Windows\SysWOW64\Oncopcqj.exe

Filesize
88KB

MD5
3a5600c57833f0cc8c2631e8ebcee138

SHA1
cde2f7eab6a6eb6e66f35872bf456f3c8a3ef02f

SHA256
74e8e836632c576f9ee754ad4c687ad2760c9c21f4cf9f30e8798d0a1a21b8f7

SHA512
81970683d8dd3006fed64a8b348cc93b2aa967250c5e2907e54bb6395dfd44225259ab95de486a816109fd96ab6eb1a1332842ecd2052546d73801fc4395ce4b

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
88KB

MD5
50cf74e69027623594dbab2e1299da8b

SHA1
6e32f6a16b3e453a8f0fa8bf429e8200bb1faf14

SHA256
f342c1abf17687e2efb3cb26b67e216e4b5718ab6d9d66e7c8039f71d8f73f69

SHA512
1d97d7e184e3298d9eabc867ea44e6018d8fc7fbb674acbeb5190fa7fbd6d3cc301c2e77cead46ce7c90d9f0e4cee67bbf8005a072a02c137e53727e81f6e4b4

Download Submit
memory/408-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5264-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5428-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads