57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae

Analysis

max time kernel
8s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe
Size

92KB
MD5

a3b861ecd755eb64f3514a168b68f277
SHA1

263c0b318d16de76e2e7af1ea43b28c0d0442dfc
SHA256

57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae
SHA512

094654bb77dc2ff1691276829b5ab8a085e48c25638f511700b0b92188d1a06e51669face3019e4b6ac6461f6d4a9d6ffd2eb0ec34ff1dd2a0f3b7c51e2f45d8
SSDEEP

1536:SFIkeuUB8iBxOCaBQFD3VcJiAsE9ghjXq+66DFUABABOVLefE3:X8izqk3edwhj6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	Chphoh32.exe
3324	Cojqkbdf.exe
2976	Caimgncj.exe
872	Cipehkcl.exe
1956	Cpjmee32.exe
4732	Cchiaqjm.exe
3116	Cefemliq.exe
2516	Clqnjf32.exe
4788	Coojfa32.exe
1660	Ceibclgn.exe
2076	Clckpf32.exe
2544	Coagla32.exe
2636	Capchmmb.exe
1048	Dhjkdg32.exe
744	Dpacfd32.exe
1444	Dabpnlkp.exe
3948	Diihojkb.exe
4360	Dlgdkeje.exe
3672	Dofpgqji.exe
4668	Dadlclim.exe
3536	Djlddi32.exe
2620	Dhnepfpj.exe
4460	Dpemacql.exe
3924	Debeijoc.exe
884	Dllmfd32.exe
1464	Dokjbp32.exe
3448	Daifnk32.exe
372	Djpnohej.exe
540	Dlojkddn.exe
3360	Dchbhn32.exe
2736	Dakbckbe.exe
5076	Ejbkehcg.exe
1076	Epmcab32.exe
4220	Eckonn32.exe
4628	Ejegjh32.exe
3316	Elccfc32.exe
1892	Eoapbo32.exe
3284	Ebploj32.exe
1912	Ehjdldfl.exe
2044	Ecphimfb.exe
1960	Ebbidj32.exe
4780	Elhmablc.exe
3692	Eofinnkf.exe
404	Efpajh32.exe
3588	Eoifcnid.exe
4568	Ffbnph32.exe
1688	Fhajlc32.exe
5056	Fokbim32.exe
4032	Fbioei32.exe
4692	Ffekegon.exe
768	Fomonm32.exe
3044	Fbllkh32.exe
868	Fjcclf32.exe
4540	Fmapha32.exe
3384	Fckhdk32.exe
4248	Fmclmabe.exe
3980	Fobiilai.exe
4484	Fbqefhpm.exe
1564	Fjhmgeao.exe
1412	Fmficqpc.exe
4508	Fodeolof.exe
3820	Gfnnlffc.exe
8	Gimjhafg.exe
1868	Gogbdl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Dpacfd32.exe	Dhjkdg32.exe
File created	C:\Windows\SysWOW64\Hbiklpin.dll	Dabpnlkp.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Clckpf32.exe	Ceibclgn.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Dhjkdg32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Dhnepfpj.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Capchmmb.exe	Coagla32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jgegko32.dll	Diihojkb.exe
File created	C:\Windows\SysWOW64\Dhjkdg32.exe	Capchmmb.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Cchiaqjm.exe	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7728	7636	WerFault.exe	299

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahphpi.dll"	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhehdem.dll"	57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkokhc32.dll"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gogbdl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2732	2520	57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe	89
PID 2520 wrote to memory of 2732	2520	57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe	89
PID 2520 wrote to memory of 2732	2520	57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe	89
PID 2732 wrote to memory of 3324	2732	Chphoh32.exe	90
PID 2732 wrote to memory of 3324	2732	Chphoh32.exe	90
PID 2732 wrote to memory of 3324	2732	Chphoh32.exe	90
PID 3324 wrote to memory of 2976	3324	Cojqkbdf.exe	91
PID 3324 wrote to memory of 2976	3324	Cojqkbdf.exe	91
PID 3324 wrote to memory of 2976	3324	Cojqkbdf.exe	91
PID 2976 wrote to memory of 872	2976	Caimgncj.exe	92
PID 2976 wrote to memory of 872	2976	Caimgncj.exe	92
PID 2976 wrote to memory of 872	2976	Caimgncj.exe	92
PID 872 wrote to memory of 1956	872	Cipehkcl.exe	93
PID 872 wrote to memory of 1956	872	Cipehkcl.exe	93
PID 872 wrote to memory of 1956	872	Cipehkcl.exe	93
PID 1956 wrote to memory of 4732	1956	Cpjmee32.exe	94
PID 1956 wrote to memory of 4732	1956	Cpjmee32.exe	94
PID 1956 wrote to memory of 4732	1956	Cpjmee32.exe	94
PID 4732 wrote to memory of 3116	4732	Cchiaqjm.exe	95
PID 4732 wrote to memory of 3116	4732	Cchiaqjm.exe	95
PID 4732 wrote to memory of 3116	4732	Cchiaqjm.exe	95
PID 3116 wrote to memory of 2516	3116	Cefemliq.exe	96
PID 3116 wrote to memory of 2516	3116	Cefemliq.exe	96
PID 3116 wrote to memory of 2516	3116	Cefemliq.exe	96
PID 2516 wrote to memory of 4788	2516	Clqnjf32.exe	97
PID 2516 wrote to memory of 4788	2516	Clqnjf32.exe	97
PID 2516 wrote to memory of 4788	2516	Clqnjf32.exe	97
PID 4788 wrote to memory of 1660	4788	Coojfa32.exe	98
PID 4788 wrote to memory of 1660	4788	Coojfa32.exe	98
PID 4788 wrote to memory of 1660	4788	Coojfa32.exe	98
PID 1660 wrote to memory of 2076	1660	Ceibclgn.exe	99
PID 1660 wrote to memory of 2076	1660	Ceibclgn.exe	99
PID 1660 wrote to memory of 2076	1660	Ceibclgn.exe	99
PID 2076 wrote to memory of 2544	2076	Clckpf32.exe	100
PID 2076 wrote to memory of 2544	2076	Clckpf32.exe	100
PID 2076 wrote to memory of 2544	2076	Clckpf32.exe	100
PID 2544 wrote to memory of 2636	2544	Coagla32.exe	101
PID 2544 wrote to memory of 2636	2544	Coagla32.exe	101
PID 2544 wrote to memory of 2636	2544	Coagla32.exe	101
PID 2636 wrote to memory of 1048	2636	Capchmmb.exe	102
PID 2636 wrote to memory of 1048	2636	Capchmmb.exe	102
PID 2636 wrote to memory of 1048	2636	Capchmmb.exe	102
PID 1048 wrote to memory of 744	1048	Dhjkdg32.exe	103
PID 1048 wrote to memory of 744	1048	Dhjkdg32.exe	103
PID 1048 wrote to memory of 744	1048	Dhjkdg32.exe	103
PID 744 wrote to memory of 1444	744	Dpacfd32.exe	104
PID 744 wrote to memory of 1444	744	Dpacfd32.exe	104
PID 744 wrote to memory of 1444	744	Dpacfd32.exe	104
PID 1444 wrote to memory of 3948	1444	Dabpnlkp.exe	105
PID 1444 wrote to memory of 3948	1444	Dabpnlkp.exe	105
PID 1444 wrote to memory of 3948	1444	Dabpnlkp.exe	105
PID 3948 wrote to memory of 4360	3948	Diihojkb.exe	106
PID 3948 wrote to memory of 4360	3948	Diihojkb.exe	106
PID 3948 wrote to memory of 4360	3948	Diihojkb.exe	106
PID 4360 wrote to memory of 3672	4360	Dlgdkeje.exe	107
PID 4360 wrote to memory of 3672	4360	Dlgdkeje.exe	107
PID 4360 wrote to memory of 3672	4360	Dlgdkeje.exe	107
PID 3672 wrote to memory of 4668	3672	Dofpgqji.exe	108
PID 3672 wrote to memory of 4668	3672	Dofpgqji.exe	108
PID 3672 wrote to memory of 4668	3672	Dofpgqji.exe	108
PID 4668 wrote to memory of 3536	4668	Dadlclim.exe	110
PID 4668 wrote to memory of 3536	4668	Dadlclim.exe	110
PID 4668 wrote to memory of 3536	4668	Dadlclim.exe	110
PID 3536 wrote to memory of 2620	3536	Djlddi32.exe	111

C:\Users\Admin\AppData\Local\Temp\57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe
"C:\Users\Admin\AppData\Local\Temp\57e481976d603fd8af6a458c7e503d2142bcecef56b21863fc8af57673a06eae.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\Chphoh32.exe
  C:\Windows\system32\Chphoh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Cojqkbdf.exe
    C:\Windows\system32\Cojqkbdf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\Caimgncj.exe
      C:\Windows\system32\Caimgncj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        25⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        28⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        29⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        33⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        34⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        35⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        37⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        38⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        40⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        41⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        42⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        43⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        44⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        47⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        48⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        49⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        54⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        55⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        57⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        59⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        62⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        63⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        64⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        66⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        67⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3456
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        72⤵
        
        PID:604
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3104
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        75⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        76⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4176
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        81⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        83⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        84⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        85⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        87⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        88⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        90⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        91⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        95⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        96⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        97⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        101⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        102⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        103⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        104⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        105⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        106⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        108⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        110⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        112⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        113⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        115⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        121⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        122⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        126⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        134⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        135⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        136⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        137⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        140⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        141⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        142⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        144⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        145⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        147⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        148⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        154⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        155⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        156⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        157⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        158⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        161⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        162⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        163⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        165⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        168⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        170⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        171⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        172⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        174⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        177⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        178⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        179⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        180⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        181⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        184⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        185⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        186⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        188⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        189⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        191⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        192⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        194⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        195⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        196⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7256
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        201⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        202⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        203⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        204⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7592
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        206⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 400
        207⤵
        Program crash
        
        PID:7728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7636 -ip 7636
1⤵
PID:7704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caimgncj.exe

Filesize
92KB

MD5
3c07857bd86015aad104898421c9ae66

SHA1
29586462a7415144f275e907c930b4a29a6e5dc1

SHA256
b44da11373a5d492eade12ff1dc91352e1fe372195f429e21f013d54ecf60448

SHA512
661de4ccb7e5b84b99f5c17dac38a4aa97b1ec1d8b3fa7ab6979056e99a5300285e7e6403d248efc145f1066282269d6dd361f8793f101e451f8452525709b05

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
92KB

MD5
210150dadc13237a8d0ec23a3f094de3

SHA1
cf4d26e779506d4d28636c8b6854aae60ae6f0d5

SHA256
34e04588c80ff180ed15358005063b58ff1715f1aa6bb87a18f4c1e9c282cf07

SHA512
efbcc22724e1186604a359e9f5ed13d7b497695937ff1a78478569e8be34a136b1d75a4def14e484071a19ad1d4ff4ecead7a51d17028f7b774d6439e291c4ad

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
92KB

MD5
9eb3f4836e1afd7e3816e7379ab99987

SHA1
741ee9a0d2160b43e3cad773800be347b7c050f3

SHA256
8533ba82ceadcdfd5cdf72b72c99810060f8a3cf359d61aa27656a1fb91b492d

SHA512
21bf8c8ef4ac2886b0242fd3f04b090816f18fd0bae6aceef0f346eb681f8e1979497cd14a68c155dff12f04a440e2bec72068e42ad56a973cd9ed65d9cab920

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
92KB

MD5
2ebfc0f5dd7e085deb88958a3ab57d6f

SHA1
e0aa662b32f231602659fe53d6fc8508aaa8afd9

SHA256
86d640e8f736cc3ca6ca793e17e471ca5bbe1553cf47d20885f3ed84ce5940dd

SHA512
5af73b9b72cbcefee85abddd003e75d5baf9b80b9cea9475240557beb4ae4f051d66113693808e483f475970913b1915014ff10319275becd9dd2fcfa82527c4

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
92KB

MD5
b9627937ed34744eb6662c5f010d4bfc

SHA1
fb789ec858923b00baad4580ffc3549b37977e2f

SHA256
030fc8d5c88fc71b508f3dae82310c4ef588fccf1f47ccc6dd9816d4797cb4e9

SHA512
7f4977c340cff98077f4efe54dea086575fbf37f827c5f52c35d630c6a513d769c2972815228b1866cbce7a553ac1f5c1645ec7586fd903f507876281aa89cdc

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
92KB

MD5
8d077defaffa94db83d0266390cf3b7e

SHA1
3cafa5fa84971e632f45c3bb1402bc3f85b00f07

SHA256
5e08d31b4c96f397b873ae4ef38f75b887c1ad96e021b985133652827849c130

SHA512
20f23a3c466fda5c8bd1c9185815da92fe4c9e49a45d3d3ae15083261ba0d18827beba563cb37095f665e2fc48df4503b5eeb2bb70689ba51225a96ba37a405a

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
92KB

MD5
67ef043574dc3004d8cd3c0f12d6192f

SHA1
00c477b453c13b81e1b4e892234e33d5516d0772

SHA256
b4b7fce577ac971e6a4c638133c443b0a8b80339e922418291eadf80624a84ab

SHA512
7a4b6a0cad6a19164313456c8cbd90f257e24eb14a977dcd4b5826ad54e9eeb2dccf12fa91ebbe639b0281f5eca5bd31dadd0d8cc533c02d54efaa64bf036755

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
92KB

MD5
9832d16b52a65945fdd86826d706b67e

SHA1
6cef37cecb1feb70ed98cf6649cf503684790fb0

SHA256
155a4446ec32db3f4007907777a77108f309c5c90351847f1555a071b00465d9

SHA512
bbb2b5eedf6102fe46ff348dc1110633f71b2a017a3e37d0d6e7ffa7702803f3bc1202f0fe50c0496f3dee49b450cfbf5a0bfcc949112aaefb72e941ec3dfd39

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
92KB

MD5
bae8be3daef14dc477bbc9865dacaad0

SHA1
c35ec5fa246656098fc528a73b0124bf3ac8d80c

SHA256
68e568f429b348565d777a766b9dedb8a7de4aa156b9a3ab328c7213cdafc322

SHA512
a6744ab0e279e5788b8306b684ee0cf215b874fdd15a51b7c3e909fcb1447bda86909f1ad4bc41fdef41e05277ae0e80c141e68231e2335701a758486ecedd39

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
92KB

MD5
4185d6b388cfa36aeb17327b95408b90

SHA1
1526e9da4d5f0518756d8c782a44ca8f23608fd9

SHA256
85610b90d87ac6655de8d02481fc733d556dd65d38430a23db97a1c06372911e

SHA512
88d201334ae6f4d881a537254055d3b41ad9f53e472ff37d3c89de5be7f6f4a97a90578d424f1d7a7ad0db99d9d62ca52320479285150bfe5083e46b299a8e09

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
92KB

MD5
41d3433a32a6ed17e4a0db0e4d5fe348

SHA1
231da750d733c0c4521fe64adb38a012a18d3465

SHA256
55be9b01e8caa51de3a94402fe476b00ddbc783024522ccab5e51da26b81d576

SHA512
98cde919732376f876cb48873135e97a7c343b44294ab0c37e9b7bc575092f62e6b7fed393f7d7797b1b7f9a3192ac78a8474e9107b9a0cf3819fed5f9f30480

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
92KB

MD5
5dcfae85c905bc71bc600e0be94c22ce

SHA1
cea49f906796672e4319493cd8d0896ff873c92f

SHA256
011d8d4983da678c9145b6eca8259131d86f0323b2447689815d5b799e2febaf

SHA512
10425621c84ecb16892df45a11cc9fe5959ab4a5525e6e5a84cc5352affa7aec9b7ee263e085c1659022cd1c1ca5db475bb816e28ed6c7914c77feab9487404e

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
92KB

MD5
23302615b01618e65cf8343c480de719

SHA1
ac3c1c83a3506a63f6f1af53deb4cfc7cab9d5ea

SHA256
0a349f910217e19bcce46bfb6b905191ff8865840bff44a3bd1b1c9752c432a3

SHA512
1bd9ea4cc4a49dc8565bd3705943e41e57617852989ac2e63f0198e3a94bc87e90d44f45a45fe7b725ddf4ac5409eb67614b15a1919a283245306ab207e9e996

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
92KB

MD5
b25cfeb48d3cf694ef5746032d2b6a0e

SHA1
dc2fcb0fac25d4a6647499f0e33e829d36c918ad

SHA256
00cd2dcee9c20661473421050eb9a57b16289bf38eaf4fefb09d058c033c1ef5

SHA512
255bb5a9281ba82ba59008520db78e7d9e59a739e9734ae83b1f14aa2bde026f79a96e456f0b147c56c57d93bf0d76f4bf9b9379f96d6a79d7eff8a6129d49af

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
92KB

MD5
0ff92d1a428f10f9d231efe5cf2378f3

SHA1
7587de3b76ce5f67ec18fa0de17eff95ecee98dc

SHA256
b3d02a5e7658ae9f440066215e052190550c005adaac584b878d900ea33e0e6a

SHA512
d87dc619efd0f2518d15267c63a6458ac7594bd5bcc038f4278f46ced4d5457a7ce5809578b538f96a675992e6918eaa397e37d7c4e9d31ce3f9c759d1cb313e

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
92KB

MD5
9985ac33cf79c99b333785db0b49bca0

SHA1
18411fadcfa3ab6005e07ff8fa5717b9b1f2c13f

SHA256
a282efc20fe96219fb099d02e62c0f537c724ff75c750ed0493eaf21d115a5d4

SHA512
f5c018c5fd50c4bbeb9523f04020d22e83987393ae120612d5a9a54e3c20baa3ca65dd4433f9b496426f409d4d9a6a79b7c46f24d3f98f79fb2efc8f24778dcd

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
92KB

MD5
d4ec44aa477a34e6e2ffc0202b19f6be

SHA1
e4c1e5c33cc5641193d6927b148fcf042c271d62

SHA256
33c14a9e27196dd5c084fc563aebea8873809f263fcdb9b3f1307dab1a084bc6

SHA512
e4032d24fa786a47b010187e1926ad0b130a8c70ff0a47dec9beb9868cf6bc88e0177acde675d373df09c6afff776556abf2bb3e15700f28223c691536c45e5e

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
92KB

MD5
33a9735d8c5a794d9518861f7fcc0104

SHA1
a2a8cd492f996bdc4d64cb9e9eaa63967aca5b4b

SHA256
a21ae8abf933abf7da922417d26e888cb34132e16c2cffcff50816c9ac116444

SHA512
6c4ab85a702062efbcf6e11097b26e69742bd575e47afe1177877a7208e118c80d964bf3832507f5dcc6616f302a5b762bab814157a613c084df760aca11213c

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
92KB

MD5
bcbcde84463b361f68995f8fd51172b2

SHA1
396e3277a5c6673516947a87f8cb09a1df5cb36a

SHA256
5a5abbad6a3614a38a6ed73207d9df8677ef7f7813cc3eecb9d571f3302ac6cd

SHA512
ac7cf455ffc10830f1e0700af2e951204f00669ed70ad91be460eed59a7218a7b39218e283fbbc5eecf76917cb18cd427626464fcf5fbe603a0967e543d24dde

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
92KB

MD5
50b3844f713615bc549431d7d967414b

SHA1
8b751bc8782a2e649e506935f3cd5b476ab1f1c7

SHA256
084feb12617b35858b91fa49320098b0bc5eaeef188e91d3626ba0aefc265da8

SHA512
e475edd502cbaec2be3b6c57f45be19a3475e3af65e3359aca9272f48534d60582c5d635f329366f5afa7b8bdf2b820a63d7c10474bbbea356fad43bc981fab0

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
92KB

MD5
a3b01f1f2e86f34671c5f52f12e322a9

SHA1
d2e9a6b892af9ab86983b9bbeeeb81a42ec9a0e6

SHA256
62034a98bfa46300f23e3f136fabc43c19d46847aa2080807ad5640e18c41bac

SHA512
b7e3b5600d627e35f7491d81bcb12377cb97d27350b489fa5f46702282cd0dd21718777a386eb81125f41afcb48859826899a4b97a43897f2e40ae569bd3bbc6

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
92KB

MD5
de81238879c828f2e519eea897ec8984

SHA1
d47edbfca6a85d63d64eefffe848f515d8ae26e3

SHA256
a5499bde951d057eab18533cd5af201588455ed2d861ce3dcbdef55f353227f5

SHA512
8ce1deebdf8239475e77dbea7bb7dc0a16ac5f0ad37e7f2b95c1775ccec80678be647c6ee912fec6b082a1baba4df7c11c664386832edd7667243ab4e3cbb286

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
92KB

MD5
e870ea9b6bd78da3ad61c2693b850a33

SHA1
e1fa1252646377826e37e3d7519047746a8478fb

SHA256
9bff322df94b674f79d333a1ad0f1922207b25f11f5257349739773a01ef9298

SHA512
e7eafeb2c003ff120bac4203e6694990ee448497a899388b287a1c037998b3d951c987d64ed878b3f69924dba582031f8327798d68a4e5043e9ca9a377af772f

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
92KB

MD5
0daeb16ff1aa67b7f3781b4614ed2691

SHA1
503addfbe651ec150bbeabccd923d71bbfc46140

SHA256
6634115d62c4aef8a6ae645c81f2868b27b7d6783b36195200c1bd2f55e6f447

SHA512
f92f5a8435b880c3ddb615106a1f57f657d612ff4b1eb150b2bcf4728c3578b620a44570a7ad9fdf5f7bfe7a6ab135a9ce977198d99ad25b417d773b54f19688

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
92KB

MD5
dceabc4d89a8130e11793a998403365a

SHA1
7c9d1922078e7788a6ae9c910cdac8338e79ebaf

SHA256
cec6f0a7a8b783a9c0fa3c9589fa61271135746d317db31a80adc285bdb173fd

SHA512
c9aacd63a621daa6e3f848c7c996c70a83786827ed9e76f8eba658fff26f15d2ea2663b65745d91c6fb2d3940b0510a50c513bf2b3b3fecb5f07a36054655566

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
92KB

MD5
0fc903f65113b0ffddfd17e047e57e7e

SHA1
6ec00e101820993bea15841f8db094899cb4091a

SHA256
17db65ff15d91bbd4e2a42c51affb2ff269555907b90f076e86e18f2f1aac337

SHA512
485fd6ef57380b9831b7d100df3e0686d1ae6ae5241e4c8cabaf8aebb657f7dfbd23f5b8906807f24d67f8c794e5ad9a9cff165ea0555831b3da1dc28e747b20

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
92KB

MD5
77a7c8cb01188e391b49a590842ba1b8

SHA1
d75340d68d652f8511a08a39d1a336dbf80c0e52

SHA256
54b4fe6cefd80f9dc685e9f09482ac97fea1520f34bf545891f0c62205dad711

SHA512
88885d92abdfa35dbb3c2e92bcb8e5035b33164f7875751d77b159c0a449615e0a4f4ab6e80974208f91673b98bd7df5d827e99ebf84b2257e714ce9f8639499

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
92KB

MD5
4f376c70f8ab2b413b64b365a02b0100

SHA1
325486f885e313ef283f2304688b2f4b256cd00b

SHA256
8292809d2d2cd275b83b8a4caf8ef4c8dc65a63096ff45594b8fcd38f3ee8995

SHA512
b664ee3c16baadc70117007607130fc6bc2e5088b8c83d4e2488e9efca38055ba6ce94e85a1b9b9434159ce7cfda22704078b4fc937293da6f5cb97367eedb40

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
92KB

MD5
76dc89e986a35b2ff3afbe25226a0e55

SHA1
8fe6a04bc9ccaa1255a17ac2b19817e46914e66b

SHA256
060577550068e335e24966843df8825c66ce0f296c48cb0e6a532a4eecb4db59

SHA512
59048c828861712d1c030143217ce2a8b7af3c0312435215648fa0f9968d43959b1503f4c0751087a58800c09f8950ba5f22303929d684223caff0826e16536b

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
92KB

MD5
ff183bcd2c122feb09880ee3ba2e309b

SHA1
b8117884cc0ffbcd85283ab7f63848cf69951eaa

SHA256
470e5a7bca68ab82c1421452c0c3694f8ef3857b21ef340b24fda264354616fe

SHA512
be2ecfdd8b880a7d26c017b368defafa8e078db7650ad68a24268db253e1d4941b925864b3b65507e0e8c2dfe2639b8f3e3c94e19011cba2a4e8655da985631c

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
92KB

MD5
b97a616c277caa4fc1f656f8669e7ad1

SHA1
30b5f17a963fa60b929940ab755e5d74bc261d18

SHA256
0ea48758c7ec80b7c85ecff3ab2066f478936cb4f3f9540d8166a288bc54b0cf

SHA512
70461521c6dcca4043b73ce77ef27a579b422f073507164ca13e8670cf560518b199c3f11fda186638a7e6f0ef8fa4ec8eba8ae7bc85fcfce741fdfb346eeff3

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
92KB

MD5
ff5477a266d7abc01c986811bc414eb4

SHA1
45c0bbf5c0b8f1f9ba5f4a8ab64e477461376636

SHA256
4bb7aa300bc4ead9422aa1b9ac6db8a844cf1035a285633d9a37ea109d95a628

SHA512
75724953e1f798bac6acdb00c24b2e723f404b0bf385a51018040a426ce440c3221360af87886e829e2c57de53282b179b811f22995341edc23d36928ba82350

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
92KB

MD5
f89bf842a21f3e2fbfdb3cba4e0c154f

SHA1
746cff0ad8e83f1b2fa75ee622381a23a1ad52dc

SHA256
75624ac2ea5ec8ba88f4dfd016aab418789154e037db8b9d84c47f39c1a3358a

SHA512
17e3cb3150aa66fc36186db91454e305c1c93ae93095956f3f37082fc1b416e39c2eba54d40a7d28bd7ba7448a7a49886ebb3583bcfebed96f65043de17f0a73

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
92KB

MD5
6cec4cebfb00407f82d6b22f687567a2

SHA1
15505265c69dc79e6b39b628cab867018689bae9

SHA256
97dd0e2142a21104a2a58c6492e8b2a0f71b4f187011c17f8e3a7b0c87204c32

SHA512
8543bf9352425d45e4df42d41cd0ac1c8e9739d4bb245b86862d2a1d8f82541d218af52205f3b38472539e758f3ca5ad89af030a256304616f6995a19b2ef73c

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
92KB

MD5
1cd96f5dba3e802759ccea44db8358b7

SHA1
121f079df085ea0066a654ea073949149b1f054f

SHA256
fd27f9c27b0953913a9b9c64be9a21198ca2b37c460db46680e1fffae9ff7076

SHA512
c65df1e3663cf356b989239856162c7bac62ddd5c175d7a1ac4d5a32e2dc0f4e9f8baf8e6154a13ed3242a78840943021b827eeb0e617f0356485b7b062b21c8

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
92KB

MD5
ba726292e5f099a7c31b207c5ead14f0

SHA1
1e2002b1c1160cf931d29ddc60ca58c330444ec9

SHA256
ce24bde43e5c79070758c674233fead1b1bfe264d673eb3c5d9f0dfef664890d

SHA512
e1909f8e637db16f49427844300fa17e05b8c082fb7840d6cd6f3a226996b79287a4f4db66f27320b7dbd372c791522a10f4636c8a1a7a87344ad9008d9afe30

Download Submit
memory/372-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/540-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1892-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3116-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3316-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-395-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

Filesize
4KB

Download
memory/3384-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3820-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4248-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4732-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads