d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

Analysis

max time kernel
99s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2024.02.08/03a4ed0cb8c9721fc1369cc5f381fd76.exe
Size

141KB
MD5

03a4ed0cb8c9721fc1369cc5f381fd76
SHA1

2ecac749fe4791a39876458be83c7101b5513e71
SHA256

b60ae197bb4109e48286207da2ab9eaa1642d37dda797ac6aabbe8c4dc10ae88
SHA512

f495bfafce3c029fd01f55272e101f84f7e6c5be579dbca0b69dad1731ead82db10de661a9dac043bc1de2f853086644d042b6ceb6f4aa00cc5581c7ae77d832
SSDEEP

3072:aSqxOrrOWl+oWxkFPwQ9bGCmBJFWpoPSkGFj/p7sW0l:aOaWFPN9bGCKJFtE/JK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaclqkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe

Executes dropped EXE 64 IoCs

pid	Process
2372	Bhmbqm32.exe
2040	Bogkmgba.exe
2240	Baegibae.exe
3404	Bhpofl32.exe
956	Cdimqm32.exe
3600	Cponen32.exe
4128	Cncnob32.exe
4560	Cocjiehd.exe
3396	Coegoe32.exe
1620	Cpfcfmlp.exe
4408	Dpiplm32.exe
2292	Dddllkbf.exe
3468	Dojqjdbl.exe
872	Dahmfpap.exe
3700	Ddgibkpc.exe
2908	Dolmodpi.exe
1460	Doojec32.exe
4060	Dkekjdck.exe
2244	Dndgfpbo.exe
2748	Dqbcbkab.exe
2668	Ddnobj32.exe
1348	Dkhgod32.exe
568	Eqgmmk32.exe
1956	Ehpadhll.exe
220	Foapaa32.exe
60	Foclgq32.exe
212	Gokbgpeg.exe
4864	Gkaclqkk.exe
4756	Gejhef32.exe
4536	Gndick32.exe
4928	Gijmad32.exe
4420	Gaebef32.exe
5092	Hbenoi32.exe
1304	Hnlodjpa.exe
3844	Hlblcn32.exe
5016	Haodle32.exe
2904	Hemmac32.exe
3492	Ibqnkh32.exe
1592	Ieojgc32.exe
1684	Iafkld32.exe
4120	Ipgkjlmg.exe
4172	Ihbponja.exe
2088	Ihdldn32.exe
3472	Iondqhpl.exe
4888	Jlbejloe.exe
2800	Jhifomdj.exe
3660	Jbojlfdp.exe
3364	Jpbjfjci.exe
3972	Jadgnb32.exe
1688	Jafdcbge.exe
2124	Jpgdai32.exe
116	Jahqiaeb.exe
936	Kolabf32.exe
1032	Koonge32.exe
1056	Kidben32.exe
4544	Kapfiqoj.exe
2940	Kocgbend.exe
3048	Kpccmhdg.exe
656	Kadpdp32.exe
4288	Likhem32.exe
1780	Lcclncbh.exe
4904	Lojmcdgl.exe
3432	Lcfidb32.exe
1960	Ledepn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Ajbfciej.dll	Acccdj32.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Iocmhlca.dll	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Likhem32.exe	Kadpdp32.exe
File created	C:\Windows\SysWOW64\Defbaa32.dll	Lhenai32.exe
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Apjdikqd.exe
File opened for modification	C:\Windows\SysWOW64\Biklho32.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Lcclncbh.exe	Likhem32.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Afockelf.exe	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Ddlnnc32.dll	Haodle32.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mljmhflh.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Mldjbclh.dll	Hlblcn32.exe
File opened for modification	C:\Windows\SysWOW64\Jafdcbge.exe	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Oophlo32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Kaadlo32.dll	Nciopppp.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Iafkld32.exe	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Jahqiaeb.exe	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mcaipa32.exe
File created	C:\Windows\SysWOW64\Ljkdeeod.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Afcmfe32.exe	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cpogkhnl.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Enemaimp.exe
File opened for modification	C:\Windows\SysWOW64\Ibqnkh32.exe	Hemmac32.exe
File opened for modification	C:\Windows\SysWOW64\Jhifomdj.exe	Jlbejloe.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Iondqhpl.exe	Ihdldn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Dojpmiij.dll	Jpgdai32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Acqgojmb.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Aadghn32.exe
File created	C:\Windows\SysWOW64\Iondqhpl.exe	Ihdldn32.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Oonlfo32.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Nodeaima.dll	Bphqji32.exe
File opened for modification	C:\Windows\SysWOW64\Doojec32.exe	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Ipgkjlmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7016	6220	WerFault.exe	300

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll"	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Lhenai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbilm32.dll"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll"	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adepji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 2372	3188	03a4ed0cb8c9721fc1369cc5f381fd76.exe	90
PID 3188 wrote to memory of 2372	3188	03a4ed0cb8c9721fc1369cc5f381fd76.exe	90
PID 3188 wrote to memory of 2372	3188	03a4ed0cb8c9721fc1369cc5f381fd76.exe	90
PID 2372 wrote to memory of 2040	2372	Bhmbqm32.exe	91
PID 2372 wrote to memory of 2040	2372	Bhmbqm32.exe	91
PID 2372 wrote to memory of 2040	2372	Bhmbqm32.exe	91
PID 2040 wrote to memory of 2240	2040	Bogkmgba.exe	92
PID 2040 wrote to memory of 2240	2040	Bogkmgba.exe	92
PID 2040 wrote to memory of 2240	2040	Bogkmgba.exe	92
PID 2240 wrote to memory of 3404	2240	Baegibae.exe	93
PID 2240 wrote to memory of 3404	2240	Baegibae.exe	93
PID 2240 wrote to memory of 3404	2240	Baegibae.exe	93
PID 3404 wrote to memory of 956	3404	Bhpofl32.exe	94
PID 3404 wrote to memory of 956	3404	Bhpofl32.exe	94
PID 3404 wrote to memory of 956	3404	Bhpofl32.exe	94
PID 956 wrote to memory of 3600	956	Cdimqm32.exe	95
PID 956 wrote to memory of 3600	956	Cdimqm32.exe	95
PID 956 wrote to memory of 3600	956	Cdimqm32.exe	95
PID 3600 wrote to memory of 4128	3600	Cponen32.exe	96
PID 3600 wrote to memory of 4128	3600	Cponen32.exe	96
PID 3600 wrote to memory of 4128	3600	Cponen32.exe	96
PID 4128 wrote to memory of 4560	4128	Cncnob32.exe	97
PID 4128 wrote to memory of 4560	4128	Cncnob32.exe	97
PID 4128 wrote to memory of 4560	4128	Cncnob32.exe	97
PID 4560 wrote to memory of 3396	4560	Cocjiehd.exe	98
PID 4560 wrote to memory of 3396	4560	Cocjiehd.exe	98
PID 4560 wrote to memory of 3396	4560	Cocjiehd.exe	98
PID 3396 wrote to memory of 1620	3396	Coegoe32.exe	99
PID 3396 wrote to memory of 1620	3396	Coegoe32.exe	99
PID 3396 wrote to memory of 1620	3396	Coegoe32.exe	99
PID 1620 wrote to memory of 4408	1620	Cpfcfmlp.exe	100
PID 1620 wrote to memory of 4408	1620	Cpfcfmlp.exe	100
PID 1620 wrote to memory of 4408	1620	Cpfcfmlp.exe	100
PID 4408 wrote to memory of 2292	4408	Dpiplm32.exe	101
PID 4408 wrote to memory of 2292	4408	Dpiplm32.exe	101
PID 4408 wrote to memory of 2292	4408	Dpiplm32.exe	101
PID 2292 wrote to memory of 3468	2292	Dddllkbf.exe	102
PID 2292 wrote to memory of 3468	2292	Dddllkbf.exe	102
PID 2292 wrote to memory of 3468	2292	Dddllkbf.exe	102
PID 3468 wrote to memory of 872	3468	Dojqjdbl.exe	104
PID 3468 wrote to memory of 872	3468	Dojqjdbl.exe	104
PID 3468 wrote to memory of 872	3468	Dojqjdbl.exe	104
PID 872 wrote to memory of 3700	872	Dahmfpap.exe	103
PID 872 wrote to memory of 3700	872	Dahmfpap.exe	103
PID 872 wrote to memory of 3700	872	Dahmfpap.exe	103
PID 3700 wrote to memory of 2908	3700	Ddgibkpc.exe	105
PID 3700 wrote to memory of 2908	3700	Ddgibkpc.exe	105
PID 3700 wrote to memory of 2908	3700	Ddgibkpc.exe	105
PID 2908 wrote to memory of 1460	2908	Dolmodpi.exe	106
PID 2908 wrote to memory of 1460	2908	Dolmodpi.exe	106
PID 2908 wrote to memory of 1460	2908	Dolmodpi.exe	106
PID 1460 wrote to memory of 4060	1460	Doojec32.exe	107
PID 1460 wrote to memory of 4060	1460	Doojec32.exe	107
PID 1460 wrote to memory of 4060	1460	Doojec32.exe	107
PID 4060 wrote to memory of 2244	4060	Dkekjdck.exe	108
PID 4060 wrote to memory of 2244	4060	Dkekjdck.exe	108
PID 4060 wrote to memory of 2244	4060	Dkekjdck.exe	108
PID 2244 wrote to memory of 2748	2244	Dndgfpbo.exe	111
PID 2244 wrote to memory of 2748	2244	Dndgfpbo.exe	111
PID 2244 wrote to memory of 2748	2244	Dndgfpbo.exe	111
PID 2748 wrote to memory of 2668	2748	Dqbcbkab.exe	109
PID 2748 wrote to memory of 2668	2748	Dqbcbkab.exe	109
PID 2748 wrote to memory of 2668	2748	Dqbcbkab.exe	109
PID 2668 wrote to memory of 1348	2668	Ddnobj32.exe	110

C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a4ed0cb8c9721fc1369cc5f381fd76.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a4ed0cb8c9721fc1369cc5f381fd76.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\Bhmbqm32.exe
  C:\Windows\system32\Bhmbqm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Bogkmgba.exe
    C:\Windows\system32\Bogkmgba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\Baegibae.exe
      C:\Windows\system32\Baegibae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872

C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\Dolmodpi.exe
  C:\Windows\system32\Dolmodpi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Doojec32.exe
    C:\Windows\system32\Doojec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\Dkekjdck.exe
      C:\Windows\system32\Dkekjdck.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748

C:\Windows\SysWOW64\Ddnobj32.exe
C:\Windows\system32\Ddnobj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Dkhgod32.exe
  C:\Windows\system32\Dkhgod32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1348
- - C:\Windows\SysWOW64\Eqgmmk32.exe
    C:\Windows\system32\Eqgmmk32.exe
    3⤵
    - Executes dropped EXE
    PID:568
  - - C:\Windows\SysWOW64\Ehpadhll.exe
      C:\Windows\system32\Ehpadhll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:1956
    - - C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        5⤵
        Executes dropped EXE
        
        PID:220
      - C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        7⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        9⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        11⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        12⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        22⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        34⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        36⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        42⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        43⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        44⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        45⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        46⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3596
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        48⤵
        
        PID:896
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        49⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        50⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        51⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        52⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        53⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        55⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        56⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        57⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        58⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        60⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        61⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        62⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        63⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        64⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        65⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        66⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        68⤵
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        69⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        70⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:900
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        72⤵
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        73⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        74⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        79⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        81⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        82⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        83⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        85⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        86⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        87⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        88⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        91⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        94⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        95⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        96⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        97⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        98⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        99⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        100⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        101⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        104⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        105⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        106⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        108⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        109⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        111⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        112⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        113⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        114⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        115⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        116⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        120⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        122⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        123⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        126⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        128⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        129⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        130⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        135⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        137⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        138⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        140⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        143⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        146⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        147⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        150⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        156⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        158⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        159⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        160⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        161⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        162⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        163⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        164⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        165⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        166⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        169⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        172⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        174⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        176⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        178⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        180⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        181⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        182⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        183⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        185⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        187⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        188⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        189⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        190⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 408
        191⤵
        Program crash
        
        PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6220 -ip 6220
1⤵
PID:6904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baegibae.exe

Filesize
141KB

MD5
b817668151cd61eafea43a89fa10b57b

SHA1
a45a42710c0ec5ecdb63d1dfe9f6119d1a52a67a

SHA256
893d9cfe87637c64849a2bac631ee57bb2b37bee4133ba6880f449f99094e9f4

SHA512
3308176d4c5254dcd485d4ea07721d8fa4e431b0849e646b0e4849625de76443a2c604ba9736d842374d8c83aee171ca99dee0cae6757f94eb8bc9871c3fce46

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
141KB

MD5
96bbdc4286245f3db29751c5c0343df7

SHA1
c4d8fdbb8866782fddf1b29f6f07097e9713a3dd

SHA256
985a87c4e153f044fb35940b8be5d65d727afac6310c2c175eefcccc9b88fa22

SHA512
5893e5110f4d09e9731201b01a46a894722df3cb7e36ebd56d5d604170fba139e2182dbba04a1eed151e6bfd2fd3c4e95fdf569a1ce5a4f2fbd0ad961aad2c13

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
141KB

MD5
a2b8892493aa07ec4abe7bb613e09cb1

SHA1
95e60a723fade6d4d7239f4e35e73ba4ec091bd6

SHA256
b1458348a4e986f284132ce7463d9a54cbc0ece6a82388758181e68f819d9364

SHA512
24dd1b5208e921a9e83e134b5ea4a1c2e88fabebaec427de215090f1a2f089dc18c2782c4fc80e1a3ed6d2bea2a9cbab058984dfb2377f1c1dde2590fb02d96a

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
141KB

MD5
d625f68e6ab0b78848cd917ebb540fcf

SHA1
049070455cf29235ee37d8ac1ad3c991d41e1833

SHA256
7482661576a52c85538323ebe5ca69a2468f29d0118a2ad7a98c701973d535e9

SHA512
48863c170390fa9464dd2a7a6cb69efbcd41d0629071222b4de579e4f2e1d79fed7a0e3653c8994ecd3c3e5083e9bee77eafc8eb8ea645a3637acea0e30dc6fa

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
141KB

MD5
9ba335b93f2e4e6123a65483d7096f95

SHA1
f21851f42e933f494902d865ff635c1ae1a40988

SHA256
3d1233ed89b074421e69d8a507c59ce614ca7b24685c7f6e14b0abbbf1facdf0

SHA512
ae90f3eed6345d37956d493c9b0d5780de61bbd6e2a91dde492093d54a0d40104d6c9a0b291a90b8cc6933e934fe649327426e7f6ba934eabe727bc91c4a978d

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
141KB

MD5
a1711c760cefc9c4afa19b4849729fdc

SHA1
8c96de6eb4ebec427cc03a932e4f6f848ee4378e

SHA256
2c3c492bee15d72335925354326fbae3ce6dbc800824cf8656c129f68bb7419a

SHA512
48bf0ced0f274a10b1fd5b4e896b4f14ea7ef1e3e3923c07ad1fbeb5470a608979d0956199958d6ecc939be0da5c38746c938c01e85e354186301e55f46d7450

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
141KB

MD5
aaf2bf415d5f029ae36c09fa57004988

SHA1
9da79faa1cdf89206875b0b3327be892997f9ec9

SHA256
e1f126238663c37db7a17e3c7216dd3332fca318a7428229aa2414b981c37902

SHA512
c52250fd9599849bddafc424fc52f42df308c3766b90f9a7342a401b4dee145ee4ad4a91a7b58e486c552421e0d8aa047ac27a1e7f95e80a6126d1f7ffbfec0a

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
141KB

MD5
c53ab8fbc78df082c8e5639ae4a022f6

SHA1
f180a781e0fc92e5bef9f84eb4560c3359ab96fa

SHA256
d53640fee493f45822cb8eaee3174c65f2366b0f06ca976a256d9d3c3cbd03e4

SHA512
0560c72b25d499d06ef11eaf41752a0a1c2264a579a3558eaf508ffd59c19ef6688a59018ac8fe82d229fa383ce25119fd29411b329a072e1ef2b6a3209ab421

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
141KB

MD5
91c95e6c0d31fbbbf3a17d45d909af7e

SHA1
fcece1936483771fd3132cc225015e07fc62e5ea

SHA256
a71bd5e958d19749b1f264f55824bd9d70b52158767b083ffbda117477cf741e

SHA512
174f167bb62254d05e7f3b6bedb8cff80fde93f63a0c45edea4fe758426a721cff5574c5e6891f923e1c5d9e42b1c1061b1943063b86ed23e463f1a06668ba8a

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
141KB

MD5
aac3345cd67e7e5abff80118cda598ab

SHA1
def5c3ad5e1ae910945394a8cb8ee420f2402e2e

SHA256
5a3ebaed79e0339a63e09ee3598637f0d0f54831a41c49f020a8624b099c0bfe

SHA512
8810016cd8f4a90fccc971da0633599026433ca59106380096e08c23e433d91844f3bdf7466a2263349dab02840e47701873397d7853057ac9436d9db71a52a1

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
141KB

MD5
ffabc2e455629d01065c2b85248ddf44

SHA1
acac0e0dbd29d5e803168bc77fdbd0e53b548d01

SHA256
9643e541119b4192f62322a7ab263e72cb6fb8ce61112f8d2eb26545fcab0f53

SHA512
9e2de6ee73e0d1c39c4e92c0b96c04c5d878d8378507d09a33bb3215412ff08f3476272e7a899635b99ae12477d508edce2751409aab608f3e68f8ee157b9fa2

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
141KB

MD5
d006d0527752e51587971da1d5ef6815

SHA1
1c6087798b6f1f75f217141aada5099eb586e2cb

SHA256
efbe49e998db2e7d1cf24036308cd3a77152a8c9b8562c0bfdd7844041ddaeb2

SHA512
ea8a3895ef62d0a776c6263b7961fcc391a77c30962ebf2c9cf9d1e11b1cb84d343837a10ec2f74a34fb881d7aa0c9c82d59f09a5dcbfaea02ab240b23da6566

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
141KB

MD5
6e3311eab6493d5f2d430cf57af76819

SHA1
8afb2d97d27eccff06f85698c0bb2b74649de947

SHA256
deda55dbdcf090a30578c541c3e17040af4524d301cf288de59bab9a2429e171

SHA512
3d28e480d3e130c4c13c93832fb9bd6f8631ee9dfbc419397c8ab0c39f6fd579d0bca2f2d57fe89f7d54cde9a548f93f8c926066b216f65eb9787d83f9f209ed

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
141KB

MD5
1c45190970b013071fbcd89622f0898c

SHA1
328620322116fd51603df9a20e5bb9380e9642a5

SHA256
d72f6ada42a6d07a1d3a79407a9ed7d444ecb964323a7ac1ac82b0591a95c317

SHA512
e15f0b71a1971f6226408c7aa9600a91cc5e28d00bd05be580e93ca0ac3e9045adcc102a4a7a5701f2a6c850acefedf55b58a138308afb9ceb9bda6e318c320b

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
141KB

MD5
41ad4e16350f9f12e58df1c3732e1286

SHA1
99a9a20dd0f7cfbd2c6ac85c04d147ed238fcfdb

SHA256
09e55f5cf91ef22ad538a7acb9eba4270e88177a18bda02cdb820fea263d01b3

SHA512
efbf748aa412b976dd9db6f3a17f95026a05fe4364484b5805205255eaa440ecdf432ef1d71a4c70371c2904dbbf94f51ab8080ea6115ec02b7b5e29c1363619

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
141KB

MD5
d15de2f5f3c0e49309a2d4882a98931b

SHA1
2d2e48248767bf77b7feb633fe851131bd17af98

SHA256
ff85d79d5c25b7c39bfb54f609e3398914d7c1af829342013101314c720767f7

SHA512
543ff87be5995e504ce1025b616fe1299f20d7f4da73db4243736cb146059572eae62cdefcec22811c3aa0fbe02f3e3c0fb8a76935a6e4d1be62b92f87bdec0c

Download Submit
C:\Windows\SysWOW64\Dndgfpbo.exe

Filesize
141KB

MD5
8d59916073915ae6044b5d432655cf81

SHA1
399eb7cdc0ebf6e74724176f8258689465f45953

SHA256
2c48957a715b466e379ec32226290f56474de4feba5c5340bf6237ee2006a005

SHA512
29d2156e41bfc31a76bf778a8db0c31b07e296c48005991d22b242c7cb1a888b69e3bf63901a47d308edcb06a4e4d0ccf2e0946de708da60b00c4e6e2b16dd18

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
141KB

MD5
28c96e355ccc38cd56b61b11edd8629f

SHA1
9b7d7c098fd2b62c15e0b20876e1ac09655af71c

SHA256
4b5edc845cf83f7724596c2f5e5bf252c3ce791294b0218927773520cb74c55e

SHA512
3c14735eb3956527a6cbb5a36f2483c211c5c4627a9987339a4e5e29de62ae6f3dd8a54db5951c1ff572738d1fecd7edc43acc89bf8565d93ac7d71e4ab6896e

Download Submit
C:\Windows\SysWOW64\Dolmodpi.exe

Filesize
141KB

MD5
b8d8ab2836031bda683a2a3f55f253fc

SHA1
3696ffc3d0df16963621d7073d2469364546aa03

SHA256
bea40994f386ad0b6073f8037dc16d9fc2e39802678a6b2e72947d9ead4a299e

SHA512
732551766007d314b8e21fa6c4984c43f8912de5618c7065473f1d59654a9e87b80f2bf1d775ed99564effc326f621b6b0f0bdaa7bfa8db5314bd82dcb470465

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
141KB

MD5
4e018faaa5ae1fd9408db9e4cb67f7fc

SHA1
41a3163380c25705130ddcf5796ed00ac48559f1

SHA256
479ddbb86f88c9190ace7e3ae4b6fb6276d6594e4944bde8aa4e1ba75475f0e4

SHA512
5cbecd9de66f4c698f5a025faef816d076e1334b9bbcc205c154311e473c9ab68ff7f92f659400f0d37dfd28e1803cb76d3660dbb65d00a62c9cb1bacfc77b6d

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
141KB

MD5
e8297c1f78f0e59cde43e103d52d81bb

SHA1
ffe957b92858042aa6a35fc7a99b8dfcb5751453

SHA256
5e6c47e81058e3e2780ee01f8c4b9f57f5e58703cbb9d28269d49d5e91057213

SHA512
796973ef33694aa51a3d29a488ebbac06afc71851c09d6385d644fb76b9389e1ea6a70f846426666515739dce1dd55d88d9060a6b9aa7266e403e23331ffa3ba

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
141KB

MD5
b71631ae3fe9f6e5e8da66169bd0ed29

SHA1
45c04b0e3df2e5778d04947420d862c1809f22cf

SHA256
8b998be560eca45f63d64389d296b457ed13a1af753f849c4680353e28c83f4b

SHA512
3f124fecb1016c2fc4c57056b2ab08ec73a494cf29c6a2975943aed3ebd48709ecf2fb7eac01da48eabb956fdd9b01952e843f736ad7d0dd1422df6ad0c52122

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
141KB

MD5
998d8e28a2e1271bd3071df5fbd752a0

SHA1
0c3a6033001ebbc063835c238c8947fec6925e8f

SHA256
b7b9fb9206812474025a36e130b892fcb80860b83e84350f1a8dc79524a0791b

SHA512
e8a97f1a1cc6dad435cc4fd7d68d40274bb15f3734c6113fd2798bd767a30e9a4414657d6c9ff31c8dce2a6bcba262f9f23859c24a375483092a6de2dfc1a257

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
141KB

MD5
e5be2fa6e1dce3e5a0c8baa79e68da11

SHA1
6cd0f7a12e9351ddab577d673db0e8e67a0928fe

SHA256
934731d7b73fb4827bf6ac7069546c2020e2452c7b090b9e53f5b8ba05e223d3

SHA512
33006733d0ea2cb1adf54917ad5e31c2cfcaf67f56867ef66dd6b2ff00da045968c5b97a947b5acb8c2e20aa0a0b98374b4c2cdd9e760e58e6af6ea8550e9393

Download Submit
C:\Windows\SysWOW64\Foapaa32.exe

Filesize
141KB

MD5
beda358572b24b6784ddbc0bcb0b31d3

SHA1
58271752db0e0c281f456ca3b6aa2131646b2ace

SHA256
ff038c771e79e48ca5bad84285e65ea9ca8411b0761bf6e1bfcf262a458dcb32

SHA512
8f56f0abda4363f9576f598ac0797880b7fb87d027491da7b03d41fee975e42048a1f32a6852dea4dbbe8c208f7cb47ea2756be3a8657e33cee7b4d015bdeccf

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
141KB

MD5
2a4931e60a935997f6901c6eee3fdfb9

SHA1
1b57abb04aa55dc666277c544abd07becf6349e5

SHA256
f92510849335a16c77b817ec28cf90b7ef811c612b89e795c1785b408c712623

SHA512
4ca7803793ee1307e3ac90399cd4f8f924d89a4e9c135ba1787913eb268e377c4d0eb5fd1272d30b2b9d93bc1880541adcaf51fbe9dd4db09b3644cb60a2cf41

Download Submit
C:\Windows\SysWOW64\Gaebef32.exe

Filesize
141KB

MD5
960497d8481e08231321ff852bfe2868

SHA1
f6e6835440453290825abac5f5c317fe913db384

SHA256
559fe254eab56a4e8737fff9de5d19cd24e79cdd091af47af4bc5669068a03cb

SHA512
9c36e9d2cc69122639aeb04fccb1f57cda08bf4a40c8d9d0682f82a3f0b10046c2ea1a92f05ee647c1b5138bd020e90913830754c47e6e7a948a872c839357df

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
141KB

MD5
5cc13b69f6d246ed1aa88e5b308c79c5

SHA1
320f0c5165066fd10cba65bddcd6425dff4153e1

SHA256
c5e9e41753c933f3c7b04c94bac70148fa1bae1c0c033805722f32c1e03efadf

SHA512
5868365cd8f7a66e7e34d840003d9025b891867c9bdbed039e7a82f9dd9ec4d9e8001e35304feeeece338120903b7d2e552b4e9b63517258aaea65c05e433b64

Download Submit
C:\Windows\SysWOW64\Gijmad32.exe

Filesize
141KB

MD5
970cafd3b1c4273f5770f2471f19dab1

SHA1
e02836ae2245c0f35340b6b3e06ddac6b37b586c

SHA256
1076cab9d9e4bf22011c72284367b02bd8e3db0f73231ead7970952352a1675c

SHA512
107b66f33c34433ed0eba4f2bf730294daa716068caa7e8d174171350bf93cd7412f26f2fb0bc17e459ae7153d81d829fb5d9838ffa6ad56ad8c6a350783c9b5

Download Submit
C:\Windows\SysWOW64\Gkaclqkk.exe

Filesize
141KB

MD5
d6b10efe36c6f5abd13b9f485c351920

SHA1
6164dfeddc5e7df2566f89036cbde4fc67796493

SHA256
2521b62ff1cfbeed3c5c8a859ae8f5800e6928e8d5c5fa4d4c20bc00324802fa

SHA512
eeb465e0fdc1f25c61276d23c20179b9fe9b886044e73693a94921b0b48201053d008335717751339b8ca222ec777d024d3292c072e60dffa68785109b744877

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
141KB

MD5
37b8ffcae2bc91c9bad05e1d23e38abf

SHA1
da266fa15b7aa7793b474ee73f579324bcd689a8

SHA256
295c8346fdf4209b886180540bf71f723142b678a81f5553e9b999255f68319e

SHA512
ef18f4181db7a992501106aa7551f80ca12725f57587cd0c9745653c08275ad1656cc78a4c6e0dbd1aecdb3181811f469d487a0b866aaa3bd0356e08bec1e54d

Download Submit
C:\Windows\SysWOW64\Gokbgpeg.exe

Filesize
141KB

MD5
b03e830d52f1ab419815dce27b873029

SHA1
a04e40de045c53244b08ca6614fcf8752085b499

SHA256
228c0162403a0b652d07136ab3f08568d22794678733fe224ebfda23cce47fdc

SHA512
8c69b8f2a0751a120ebbe47490129e7617b27d40f54d79c54410dc6ea716d382f44c2faef9ae04015e03c920aa4e3f84234b89c0bd9fa911a2c55aaf35c46566

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
141KB

MD5
dc43b62a8c469570a2f8b25e7ab9a034

SHA1
552d90439c298bf631cedda82fc3607f0fdc2662

SHA256
d8c6d13698ce021ab50b07e097b9184ba5d180e7c5afb57f10287eb12b38fb12

SHA512
72936e1b249c23c09601755591eddbb393e43227657fd89087ca20dd85aff9f4402dc36db979c43f670b663ed6b3b73c8215cc7277cd8477f260baed59c39038

Download Submit
C:\Windows\SysWOW64\Hlblcn32.exe

Filesize
64KB

MD5
f6bd862384ba7207a0bf8cb48b12905a

SHA1
4b5be36a1a442fa3444aa2a3b09dc849e3d98810

SHA256
853b8845dd152a1567ad9d6efe01c23479976ce4f3c74160272a9fc46d49f977

SHA512
b9309a5bf65569548a66f3bdb427a3c35af654e7943c849df22f86b25fd92e18047cb3177f37853f1f3c4734c92dd2d954df45833494530f09be84b4f98dae25

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
141KB

MD5
28387bc17925ffb7890ec7354899801a

SHA1
e9db20287cba70535ee58d64ae607c91177b7e7a

SHA256
4b077c813f408527963846b74615e1e98a78811eb7df23449fde4eb6bae1fb4e

SHA512
4ea8aaf443c8b98bf7df2b0f060c04240c9792221a5cf88fd4fb5c730b4e7284946a7e3acf5dc60e0b5c07996a6bf1da2c95143074f581a8c2b6a3da13547324

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
141KB

MD5
567043a501615811133cc57b63d2f24a

SHA1
963d3e1011a06e2e1a604b44c54eb86d6cb1f3e1

SHA256
5d1224e96718fe7391949cf67021da0fc6f8b1a95d08b1563536c2c4dc5bbc8a

SHA512
bce1fc5f4fda91cec29de615ae736d7906fce1000a904c8b2cd7c29fe1d04314c773d8032f6c6a15f3c603dd88f1aab0e0bafb6165bef402c047895bf1c3e7c2

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
141KB

MD5
068cdc7030935b962cff77b8e51f3298

SHA1
f4425bd6fa7e2e02ef23a7f608c792840bf52100

SHA256
2a1902523d8694907704dbb1c41ebd6a021e870d5f44729d69bcd8c9397cb76c

SHA512
24b4f209cc145f19796fe7cdbf9ac34a1edea1494bcfde0427a4bbf3674e7bd928e5ddb0b7beaed0993bd26a884b3f7f99655f17c272a200cbb1a5b584905d27

Download Submit
C:\Windows\SysWOW64\Kocgbend.exe

Filesize
141KB

MD5
1f78cc2d80f6343782a0ceeb8b71cb7a

SHA1
1433674c6af47fcb7a758dbfcbdd4ed13266ab71

SHA256
ebcd4e846a793ca00bcbd304d5a7eaad8fa10679c327ed764b7667bc28087925

SHA512
6c0f8fb65be5ed5dae909beecca8ac3fb1103b40527f6c89ba1484a36b3171029bd3cec797197317b35309bcf3fc5dcee87d924a2ed577214404893ea5b6c333

Download Submit
C:\Windows\SysWOW64\Koonge32.exe

Filesize
141KB

MD5
62dcf9591895380a88582602cd79e06c

SHA1
d707b9b60a814e40f8d7c325b08ececccf98baad

SHA256
b12e42679c3c025306ecc2c7bc90f1c9b0a25dd9fe999f5b51a1012b805018f0

SHA512
79dc1a34e2e0ed902a3d7aeff34f88a2dc2f7cd0bb96a4c9c794c5137cde5c8518b859b0389ee6d838ab7e0d4e375aa9f32712471d2f3c39c3380a1f34ede84e

Download Submit
C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
141KB

MD5
e171ef3f7e71f9c24d0d16103cbd318c

SHA1
0823a0d647e950abb0309ac5dff00ecd3473f54c

SHA256
2f8e263bd160a184a979ba94a9b4ed4efff3c29dd8f927a50983051fc1b1bf86

SHA512
4514b714dc0291f2b36be80c3415d81a303351887ca9fdf1c79d5cae010c85fddbef022f2c43253c154d6bb7f5af02b02cd103ce3e1340178a4b006fac7f27cf

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
141KB

MD5
dcd6c155c9431e2080ebafebedc11c8b

SHA1
c47da3809609fc900deb003ed0c1e0fb39280dcb

SHA256
d5ddf4b157079333251358811bf5ee54ebe9d7953b0ab90858255f2772c2d3fe

SHA512
4e215e8340dff2a5e0c7e2f2a25898139b5248d398c56186b48eb98319db1bcd31ac988b65ba055231f4205a4d413a51b483fdb975d10479fd4f5cc35743fc99

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
141KB

MD5
c38d80f4e7136576a0b8585a4fd57821

SHA1
f6a27e2c94501c1be78313a62b105925d102678f

SHA256
e6c08072607407b087babf1481ed4169490a23303b49fc59cb927f56636b0cf6

SHA512
a8a646dce8f084c9a8de49d1b85501a44efc998df7e7918256b7c5b77d64d8a67864914c35128ddfff779a4e607188cd185bb98feec42a9839cfb88521333cf0

Download Submit
memory/60-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/212-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/220-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/568-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/656-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/936-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3364-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3396-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3468-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3472-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3700-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3844-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4288-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads